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Abstrec* 


This  thesis  describes  the  use  of  mathematical  and  axiomatic 
semantics  as  a  means  of  giving  complementary  definitions  of  the 
s^man-^ics  of  prcgrammina  languages.  We  show  that  by  giving 
descriptions  of  language  semantics  at  different  levels  of 
abstraction,  we  can  bo-^h: 

1.  provide  semantic  definitions  well-suited  for  the 

purposes  for  which  formal  descriptions  are  needed,  e.g. , 
proving  properties  of  programs  or  showing 

implementations  *-o  be  correct,  and 

2.  develop  a  framework  in  which  the  issu<=s  involved  in 
language  design  can  be  rigorously  formulated. 

As  an  example  of  the  use  of  complementary  definitions,  we 
present  mathematical  and  axiomatic  definitions  of  a  large  subset 
of  PASCAL.  Using  the  mathematical  definition  as  a  model  for  the 
mere  abstract  axicma-^ic  semantics,  we  show  rhat  the  axioms  and 
rules  of  inference  are  valid  with  respect  to  the  mathematical 
model,  i.e,,  the  definitions  are  consistent.  We  also  show  than 
mathematical  semantics  provides  a  useful  complement  to  axiomatic 
semantics  because  of 

1.  rhe  theory  of  computation  underlying  *he  mathematical 
approach,  which  provides  important  induction  rules  for 
proving  the  consistency  of  the  definitions,  and 

2,  the  abili-^y  to  understand  the  difficulties  involved  in 
ex-^ending  *:he  axioma  +  ic  definitions  in  terms  of  the 
domain  s-^ructure  of  -^he  mathematical  definition. 

The  remainder  of  the  thesis  describes  a  number  of  possible  ex¬ 
tensions  of  the  PASCAL  subset  in  -^erms  of  their  effec*^.  on  *^he 

definitions  given  earlier.  We  show  that  certain  constructs  are 
inheren-*-ly  more  complex  than  those  used  in  the  PASCAL  subset,  in 

■^=rms  of  the  domains  necessary  ro  give  a  simple,  intuitive 

seman-^ics  of  the  constructs. 
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correctness  also  require  formal  semantic  definitions.  It  is 
impor-^ant  to  remember,  however,  that  the  primary  goal  of  formal 
semantics  is  to  provide  more  effective  communication  between  the 
language  designer  and  the  various  audiences  with  an  interest  in 
the  language. 

One  of  the  major  problems  in  effectively  communicating  this 
indent  is  that  we  use  *he  semantic  description  of  a  language  at 
many  different  levels,  At  one  level,  a  semantic  definition 
should  provide  a  means  of  reasoning  about  how  to  form  programs 
using  the  facilities  of  the  language,  including  the  problems  of 
guaranteeing  the  correctness  of  the  programs  produced.  Semantic 
descriptions  at  a  more  detailed  level  are  reguired  as  tools  for 
1  anguage  desian  and  comparison.  A.nd,  finally,  sophisticated 
users  and  implementors  may  require  language  descriptions  that 
give  detailed  descriptions  of  the  sequence  of  operations  invoked 
by  each  construct  to  judge  the  relative  efficiency  of  programs 
writt'^n  in  the  language  or  to  have  a  useful  implementation  model. 

The  complex! "^ies  of  programming  languages  also  make  the 
choice  of  an  appropriate  level  of  detail  of  a  semantic 
description  particularly  important,  ‘^’or  example,  a  compiler  for 
a  lanauage  provides  a  formal  description  of  the  semantics  of  the 
language.  Yet  the  enormous  amount  of  detail  found  in  most 
compilers  includes  many  notions  irrelevant  to  an  understanding  of 
the  language  for  many  purposes,  e.g,,  how  to  establish 
addressability  on  a  particular  machine.  This  detail  only  serves 
to  cloud  the  essential  characteristics  of  the  language  of 
interest  to  the  casual  user  or  language  designer.  Just  as  we  can 
describe  a  program  at  several  levels  of  abstraction,  so  it  seems 
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necessary  to  provide  semantic  descriptions  at  various  "levels  of 
abstraction"  suite'd  for  the  particular  purpose  for  which  a  formal 
defini-^ion  is  required. 

This  Thesis  develops  the  proposition,  first  made  by  Hoare  and 
lau^r  ri974],  that  these  characteristics  of  the  problem  of 
semantic  description  of  programming  languages  make  any  single 
definition  technique  unsuitable  for  giving  the  sole  description 
of  the  semantics  of  the  lanauege.  Instead,  we  propose  giving 
s-^^mantic  descriptions  in  terms  of  complementary  definitions, 
i.e.,  a  set  of  definitions,  each  defining  the  language  a-^  a 
particular  level  of  abstraction,  end  each  well-suited  for  use  for 
particular  purposes.  We  show  that  by  using  the  axiomatic 
approach  to  semantics  dev^^loped  by  Hoare  [  1969a,  1969b,  1971a] 
and  the  mathematical  approach  of  Scott  and  Strach‘=^y  [Scott  197C, 
Scott  1972c,  Scott  and  Strachey  1972]  as  complementary  definition 
techniques,  it  is  possible  to  give  complete  descriptions  of 
useful  programmino  languages  that  are  suitable  for  a  variety  of 
purpo  ses. 

Althouah  we  could  view  the  axiomatic  definition  as  simply  a 
useful  abstraction  of  the  mathematical  definition,  we  will 
consider  the  def ini t ions  as  truly  complementary  for  two  main 
reasons.  'p’irst,  as  we  will  discuss  further  in  the  next  chapter, 
the  definitions  given  using  each  approach  are  definitely  well- 
suited  for  different  purposes.  Moreover,  in  Chapter  4,  we  will 
use  the  implicit  assumptions  of  the  axiomatic  apprcach  to 
structure  the  domains  used  in  the  mathematical  definition.  Thus 
we  not  only  use  the  mathematical  definition  to  in-^erpret  the 
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axiomatic  definition,  but  we  also  use  the  axiomatic  definition  to 
impose  limitations  bn  the  mathematical  model. 

The  thesis  presents  a  mathematical  and  axiomatic  treatment  of 
a  large  subset  of  the  programming  language  PASCAL  fwirth  1973a]. 
The  major  results  of  the  thesis  include: 

1,  Complete  mathematical  and  axiomatic  definitions  of  the 
PASCAL  subset  are  given.  The  mathematical  definition 
uses  a  domain  structure  which  reflects  the  implicit 
assumptions  of  the  axiomatic  approach,  and  which  is  less 
powerful  and  less  '’machine-oriented”  than  the  more 
common  mathematical  model  used  for  similar  languages, 
i.e. ,  the  so-called  "standard"  semantics  TLigler  1975a]. 
Additionally,  th»  axiomatic  definition  includes  a  new 
treatment  of  the  semantics  of  input  and  output, 

2,  The  axioms  and  rules  of  inference  given  by  the  axiomatic 
definition  are  proven  to  be  valid  with  respect  to  the 
model  provided  by  the  mathematical  definition.  We  also 
suggest  how  the  proofs  given  could  be  mechanically 
checked,  or  even  generated,  using  an  LCF-like  [Milner 
1972]  formal  Icgic.  The  use  of  mathematical  semantics 
as  a  model  of  axiomatic  definitions  is  similar  to  work 
recently  done  by  George  Ligler  at  Oxford  [Ligler  1975a, 
1975b]. 

3,  An  interpretation  of  Dijkstra's  "predicate  transformers" 
[1973]  is  given  and  the  properties  of  "healthy" 
predicate  transformers  are  proven  as  theorems  about  the 
interpretation. 
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4.  The  domair.  structure  of  mathematical  definitions  is  used 
to  analyze  the  limitations  of  the  axiomatic  approach  and 
the  "complexity”  of  certain  language  constructs. 


The  organization  of  the  thesis  is  as  follows.  Chapter  2 
provides  a  review  of  the  literature  and  a  history  of  the 
development  of  various  approaches  to  semantics.  Chapter  3 
provides  the  basic  elements  of  the  lattice-theoretic  approach  to 
the  theory  of  computation  used  in  the  remainder  of  the  thesis  to 
give  the  mathematical  semantics  of  the  PASCAL  subset.  Chapter  U 
presents  the  definition  of  the  PASCAL  subset  using  the  axiomatic 
and  mathematical  approaches.  In  Chapter  5  we  give  an 
interpretation  of  axiomatic  formulas  in  terms  of  the  model 
provided  by  the  mathematical  definition  and  present  -^he  proofs  of 
consistency  of  the  axiomatic  definition  and  the  manhemat ical 
definition  of  the  PASCAL  subset.  Addin ionally ,  a  similar 
interpretation  of  predicate  transformers  is  presented.  Chapter  6 
discusses  extensions  to  the  language  in  terms  of  their  effect  on 
the  semantic  model  used  in  the  definitions.  Finally,  we  give 
summary,  conclusions,  and  directions  for  future  research  in 
Chapter  7. 
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Chapter  2 

History  and  Literature  Review 


2  •  1  Introduction 

The  irost  obvious  characteristic  of  the  literature  on  the 
S‘=inantics  of  programming  languages  is  its  diversity  of  viewpoint. 
The  purpose  of  this  chapter  is  to  organize  seme  of  the  basic 
ideas  present  in  semantics  research  and  to  give  a  developmental 
context  for  the  work  described  in  the  thesis. 
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may  be  formally 

spe 

cif  ie 
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be  CO 

included  in  the  definition.  All  of  the  semantic  models 
discussed' in  the  remainder  of  this  thesis  will  be 
interpreter-criented  models. 

Specifically,  by  an  interpreter-oriented  formal  semantics  of 
a  programming  language,  we  mean: 

1.  a  formal  description  of  the  ’’universe  of  discourse”  for 
the  language,  i. e. ,  the  class  of  objects  that  may  be 
manipulated  by  programs  in  the  language.  These  objects 
could  include  ’’machine  states,”  functions,  normal  form 
lambda  expressions,  assertions,  or  any  other  class  of 
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the  associated  outcome  (’’value”)  of  each  of  the 
combinations  in  terms  of  its  components. 

Using  this  definition  of  semantics,  the  various  interpreter- 
oriented  methods  that  have  been  proposed  for  giving  formal 
semantic  definitions  can  be  roughly  classified  as  belonging  to 
the  following  general  categories: 

1.  operational, 

2.  denot at icnal ,  and 

3.  propositional. 

In  this  chapter,  we  present  descriptions  of  each  of  these  three 
major  approaches  to  semantics.  In  particular,  we  focus  on  the 
level  of  abstraction  at  which  the  definition  is  given  and  the 
ways  of  using  each  of  the  different  types  of  definitions  to 
reason  about  programs  written  in  the  language  defined. 
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To  describe  the  various  techniques  of  semantic  definition  in 
a  more  concrete  fotm,  we  will  present  the  definition  of  an 
example  language  using  each  of  the  formalisms  described  in  this 
chapter  and  discuss  th<^  use  of  the  definitions  in  reasoning  about 
programs  written  in  the  language.  To  make  this  example  as  simple 
as  possible  and  yet  to  prepare  the  reader  for  the  more  complex 
development  of  Chapters  4  and  5,  we  will  consider  a  language 
having  only  while  and  assignment  statements.  The  syntax  of  our 
example  language  is  defined  by  the  following  grammar: 

<statement>  ::=  <identifier>  :=  <expression> 

I  <6xpression>  do  <statement>  od 
I  <statement>  ;  <statement> 

For  this  example  language,  the  ambiguity  in  the  grammar  given 
above  is  not  important.  We  now  consider  the  various  ways  of 
describing  the  semantics  of  this  simple  language. 


2 . 2  Operational  semantics 
2. 2. 1  Background 

An  operational  model  of  a  programming  language  is  given  by: 

1.  defining  an  abstract  "machine  state,"  S,  containing  the 
essential  informa-^ion  about  the  progress  of  the 
computation  invoked  by  each  program  in  the  language,  and 

2.  specifying  the  meaning  of  constructs  in  the  language  as 
their  effect  on  the  state,  i.e,,  by  a  state  transition 
function 

Comp: S->S. 

This  form  of  semantic  definition  has  been  used  in  many  forms  to 
define  a  wide  variety  of  programming  languages.  Perhaps  the  two 
most  important  examples  of  operational  definitions  of  languages 
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are  those  giver  by  Lardir  [1964,  1965,  1966a,  1966b]  and  the  IBM 
Vienna  group  responsible  for  -^he  formal  definition  of  PL/I 
[Lucas,  Lauer,  and  Stigleitner  1970,  Lucas  and  Walk  1971], 

In  [1964],  Landin  described  the  so-called  "SECD  machine"  as  a 
means  of  defining  the  meaning  of  the  evaluation  of  lambda 
calculus  expressions.  In  [1965],  the  SECD  machine  was  expanded 
to  include  a  more  complicated  state.  This  "sharing  machine"  was 
then  used  to  give  a  "compiler/interpreter"  semantics  for  Algol  60 
by: 

1.  specifying  the  translation  of  Algol  6C  programs  to 
lambda  expressions,  and 

2.  giving  an  interpretative  meaning  to  the  lambda 

expressions  produced  in  terms  of  computations  of  *he 
extended  SECT  machine. 


A  similar  "compiler/interpreter"  technique  was  used  by 
[Lucas,  Lauer,  and  Stigleitner  1970]  to  define  the  formal 
semantics  of  PL/I.  The  universe  of  discourse  in  the  PL/I 
definitions  is  a  class  of  labelled  trees,  defined  using  the 
Vienna  Definition  Languaae  (VDL)  (see  [Wegner  1972]  for  a 
discussion  cf  VDL  and  its  use  in  defining  programming  language 
semantics).  The  "compiler"  part  of  the  PL/I  definition  (the 
"prepass")  takes  the  input  program  and  maps  it  into  an  abstract 
tree,  which  is  then  used  as  the  program  component  in  the 
"interpreter"  part  of  the  definition.  The  machine  state  in  the 
PL/I  definition  is  an  abstract  tree  with  subtrees  representing 
components  similar  to  those  cf  the  SECD  machine,  together  with  a 
number  of  additional  components  necessary  to  handle  the  many 
intricacies  cf  the  PL/T  language. 
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2,  2.  2 


h  operaticTial  def ir. ition 

t 

The  "state”  in  this  simple  operational  model  consists  of  a 
McCarthy  "state  vector"  f McCarthy  1966]  giving  the  values  of  the 
program  variables.  The  state  transition  function,  rather  than 
producing  a  single  new  state,  will  instead  produce  a  seguence  of 
states  representing  all  of  the  intermediate  states  produced 
during  the  computation  (this  is  similar  to  the 
" iterator/recorder"  model  of  Lauer[ 1 971  ])  ,  The  most  important 
characteristic  of  operati onal  definitions  is  that  this  sequence 
of  intermediate  states  is  explicitly  given  by  the  definition, 
even  if  the  only  statp  of  ir.-^erest  is  the  final  one  produced. 

We  giv^  the  operational  definition  of  our  simple  language  in 
*=rms  of  a  function  Comp  of  two  arguments,  a  proqram  text  and  the 
s-^ate  vector  representing  +he  current  stare  of  the  computation. 
Additionally,  we  will  use  the  functions: 

1.  Out,  which  produces  the  final  state  vector  of  a  finite 
sequence  of  states,  and  is  undefined  if  the  seguence  is 
infinite,  and 

2.  Eval ,  which  produces  the  value  of  an  expression  relative 
to  the  current  state. 

Also,  the  following  three  rotational  conventions,  used  throughout 
the  thesis,  are  introduced: 

1.  If  s  is  a  sequence  of  elements 

si  X  s  2  X  ...  X  sn , 

then  s  {i}  will  be  used  tc  denote  the  ith  component  of  s. 
In  the  following  examples,  we  will  abuse  the  notation 
slightly  and  allow  the  selectors  of  state  vector 
components  to  be  identifiers,  rather  than  integers. 
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2.  Substitution  of  values  in  the  state  vector  will  be 
written  a^  follows.  If  v  is  a  value  then  the  state 
vector  s[ X  <-  v]  is  defined  as: 

s[  X  <-  v]{x)  =  V 

s[x  <-  v]{y}  =  s  {y}  for  all  y#x. 

This  can  be  read  as  "change  the  x  ccmpcnent  of  s  to  have 
the  value  v. " 

3.  The  conditional  expression 

P  111  ®  ^  s  e  e  2 

is  defined  as  expected.  If  the  value  of  p  is  true,  then 
the  value  is  el;  if  the  value  of  p  is  false,  then  the 
value  is  e2.  In  Chapter  3,  we  will  redefine  conditional 
expressions  to  allow  p  to  be  partial  (i.e.,  -^o  produce 

"undefined"  as  a  result).  For  now,  however,  we  will 
assume  that  all  the  predicates  are  to-^.al. 

The  definition  of  Comp  follows,  given  by  cases  on  the  syntactic 
categories  of  statements: 

Comp(x:=e,  s)  =  sf  x  <-  Eval(e,s)  ] 

Comp  ( St  1 ;  st2 ,  s)  =  Comp(st1,  s)  ||  Comp(st2,  Out  (Comp  (st  1  ,  s)  )  ) 

where  ||  is  used  to  indicate  concatenation  of  state 
seguences. 

Comp  (while  b  do  st  od,  s)  = 
if  Eval(b,s)  then 

Comp(st,  s)  II  Comp  (while  b  do  st  od.  Cut  (Comp (st,  s) ) ) 
else  s 

2.2.3  Ptovill2  correctness  using  oge rational  definitions 

As  an  example  of  the  use  of  the  operational  definition  given 
above  to  prove  that  a  program  written  in  the  language  has  a 
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desired  property,  we  present  the  following  program,  which 

computes  xJ  and  plhces  the  result  in  z: 

y  :=  0; 
z  :  =  1 ; 

y  :=  y+i ; 
z  :=  z’^'y 
od 

Remember  that  the  definition  given  above  produces  the 
seguence  of  states  formed  during  execution  of  the  program.  To 
prove  the  program  above  is  correct,  we  state  the  correctness 
condition  as  a  predicate  on  states  and  prove  that  it  is  true  of 

Out  (Comp  (program ,  s) ) 

by  induction  on  the  length  of  the  state  vector  seguence  produced 
by  Comp.  This  is  an  example  of  computational  induction. 

Here  the  desired  predicate  is  s  {z}  =  s{x}l.  From  the 
definition  of  Comp,  we  can  see  +hat  the  finite  seguences  of 
states  produced  by  Comp  (program, s)  have  the  form 

sO  II  £  1  II  ...  II  s  ^ 

where 

sO  =  Out  (Comp  (y:  =  C ;z : =1 , s) ) 

*  * 

si-n  =  Out  (Comp  (y :  =y+ 1 ;  z  :  =z*x  ,  s'^ )  ) 

To  show  that,  for  any  final  state  s^,  {z}  =  s^{x}.',  we  will 
show  by  induction  that  s  {z}  =  s  {y}  .'  is  true  of  each  of  the 
intermediate  states.  Then,  since  from  the  definition  of  while  we 
know  that  a  final  state  s^  can  be  produced  for  the  program  only 
if  s^  {y}  =  s^  {x}  ,  we  can  deduce  that  s^{z}  =  s^{x}l  is  true  of 
the  final  state  produced. 

“  Out  (Com  p  (y  :  =C  ;  z  :  =  1 ,  s)  ) 

=  (s[y<-0])[z<-1] 
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Eut  1=0.*,  so  sO{z}  =  sO{y}J. 

Induction  :  Assume  s  ^  {z}  =  s‘-{y}.'. 

t 

£»  +  i  =  Out (Comp (y:  =  y  +  1 ; z:=z*x,s‘ ) ) 

‘  I 

=  Out  (Comp  (z:  =z*y,  s‘[y  <-  Eval(y+1,s‘)  ]) ) 

=  (£*  [  y<-Eval  (y  +  1 ,  )  ])  [  z<-Eval  (z*y ,  s^  [  y<-E  val  (y+ 1 ,  s  ‘ )  ]] 
=  (s^[  y<-Eval  (y+1,sM  ])  [  z<-Eval  (  (y+ 1)  *y  J  ,s‘ )  ] 

<  I 

since  s‘{z}  =  s  ‘  {y}  J 

Therefore,  s  <  +  i  {z)=s  ^  +  i  {y}  J  ,  and  for  any  s^,  s  ^{z}  =  s'^{y}.'  and 

s^  {V}  =  s'^  {X}  . 

Q.E.D. 

Fcr  positive  x,  the  fact  that  the  program  must  terminate  car 
be  shown  by  a  separate  induction  showing  that  x  approaches  y 
monct onically.  [Manna,  Ness,  and  Vuillemin  1972]  contains  a 
detailed  discussion  of  computational  induction  and  its  relation 
to  some  of  the  other  induction  methods  described  below. 


2 . 3  De not  at ional  semantics 
2.3.1  Eac  kg  round 

In  the  preceding  definition,  we  described  the  meaning  of  the 
language  in  terms  of  the  action  of  program  and  data  together  to 
give  the  seguence  of  states  produced  during  the  interpretation  of 
a  program.  The  approach  taken  in  denotaticnal  definitions  is  to 
abstract  the  operational  view  of  meaning  and  to  consider  the 
program  as  specifying  a  function  of  some  appropriate  type.  Thus, 
meaning  is  given  not  in  terms  of  state  seguences,  but  simply  as 
functions  from  states  to  states, 
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Perhaps  the  earliest  example  of  a  denotational  definition  of 
semantics  of  a  language  is  due  to  McCarthy.  In  [196C],  he 
defined  the  basis  of  a  "mathematical  theory  cf  computation,"  also 
discussed  in  [1962,  1963],  Essentially,  the  formalism  allowed 
the  use  of  conditional  expressions  to  specify  recursively  defined 
functions  over  arbitrary  sets,  in  particular  the  set  cf  LISP 
S-expressicns  [McCarthy,  et.  al,  1965],  Using  the  formalism, 
[McCarthy  1960]  defined  a  translation  from  simple  flowchart 
programs  to  a  set  of  mutually  recursive  function  definitions  on 
state  vectors.  Additionally,  the  LISP  language  [McCarthy,  et. 
al.  1965]  was  defined  as  a  direct  translation  from  the  program 
text  to  similar  recursive  function  definitions. 


The  other  early  work  in  denotational  semantics  is  that  of 
Strachey.  In  [1964],  he  defined  a  large  segment  cf  CPL,  using  a 
translation  from  text  *c  lambda  expressions.  Father  than  using 
an  abstract  machine  -^c  interpret  the  meaning  of  these 
expressions,  as  was  done  by  Landin,  they  were  simply  considered 
as  defininq  functions  on  an  "abstract  store."  In  this  original 
work,  however,  the  underlying  set  of  values  needed  to  define  a 
language  as  complex  as  CPL  made  it  doubtful  whether  any 
reasonable  mathematical  interpretation  could  be  given  to  the 
equations  presented.  This  problem  was  overcome  by  the 
development  cf  the  lattice- theoretic  approach  to  the  theory  of 
computation  by  Scott  [197C,  1971a,  1972b].  The  lattice--^ heoretic 
approach  will  be  discussed  in  Chapter  3  and  will  be  the  basis  cf 
the  "mathematical  semantics"  of  PASCAL  described  in  Chapter  4, 
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2.3.2  A  simple  den o tat ional  definition 

In  this  section,  we  will  give  a  denctational  semantics  for 
the  same  lanauage  that  was  described  operationally  in  2.2.2.  In 
this  definition,  meaning  will  be  given  by  a  function  F  of  two 
arguments,  a  program  text  and  a  state  vector,  producing  a  state 
vector;  i.e.,  F  has  functionality 

FrProgram  ->  [State  ->  State] 

and  gives  the  sta+:e-to-state  mapping  for  each  program  in  the 
language.  Before  qiving  the  definition,  one  additional 
nctaticnal  convention  of  importance  needs  to  be  given.  To 
separate  visually  the  program  text  from  the  state  vector  argument 
of  F,  we  will  use  <  and  >  -^o  bracket  the  program  text  components 
of  the  definition.  The  meanings  of  the  constructs  in  the 
language  are  given  as  follows: 

Fi:x:  =  e>(s)  =  s[  x  <-  Fval(e,s)  ] 

F<st1;st2>(s)  =  (Ffst2>  •  F<st1»(s) 
where  (f«g)  (x)  =  f  (g  (x)  ) 

t  Jo  = 

if  Fval(b,s)  then  (F^iwhile  b  do  st  pd>  •  F<st>)  (s)  else  s 

The  important  difference  between  this  definition  and  our 
earlier  operational  definition  is  the  lack  of  explicit  seguencina 
in  the  denotational  semantics.  By  giving  a  purely  functional 
d^scriotion  of  the  language,  the  explicit  seguence  of  operations 
given  in  the  operational  definition  is  now  only  implicitly 
specified  in  the  definition  of  functional  composition.  This 
difference  is  particularly  important  in  the  case  of  the  while 
statement.  Here,  as  we  will  see  below,  the  implicit 
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specification  of  sequencing  in  denctational  definitions  leads  to 
a  different  induction  principle  than  that  described  above. 


2. 3. 3  Piovinq  correctness  using  denotat ional  definitions 

There  are  two  ways  in  which  the  equations  given  above  can  be 
in-^er  pret  ed : 


1 . 

given  a  computation 

rule  (for  exa 

mple,  the  r 

renaming  rules  for 

the  lambda 

calculus 

1  968  ]),  the  equat 

ions  can  be 

seen  as 

computation  sequence 

(or  a  set  of 

computat ic 

giving  the  value  fcr 

each  possibl 

e  input,  or 

2  . 

+he  eguations  do,  in 

fact,  define 

a  function 

the  meaning  cf  the  constructs  as  graphs  or  sets  of 
pairs. 

These  two  interpretations  differ  particularly  in  "^he  meaning 
given  to  recursive  definitions  (e.g.,  the  definition  of  while 
given  above),  and  each  interpretation  leads  to  a  different  method 
cf  reasoning  about  denotaticnal  definitions. 


If  we  view  the  definitions  as  giving  compu-^ation  seguences 
fcr  a  particular  computation  rule  (e.g.,  ” call-b y-va lue"  or 
"call-by-name”  e valua-^ ions)  ,  then  we  can  use  the  computational 
induction  method  defined  above  to  prove  properties  cf  programs 
using  denctational  definitions  of  semantics.  In  cur  example,  the 
proof  of  correctness  of  the  program  using  computational  induction 
and  -^he  denotaticnal  definition  would  follow  closely  the  prcof 
given  using  computational  induction  and  the  operational 
definition  of  section  2.2.  T^or  this  reason,  such  a  proof  will 
not  be  presented  here.  Several  examples  of  applications  of 
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ccmpu  tat  ional  induc-^.ion  using  denotational  definitions  of 
prcarams  are  found  in  [Manna,  Nsss,  and  Vuillemin  1972], 

The  other  interpretation  of  the  equations  given  above  is  tha"^ 
they  define  functions  without  reference  to  any  rules  of 
ccmpu -^ation,  other  than  those  given  to  compute  the  values  of  *he 
various  base  functions  and  forms  of  functional  composition.  The 
question  of  importance  then  becomes  what  function  is  defined  by 

th<=  recursive  equations,  _ _  Given  an  appropriate  se*  of  base 

functions  and  allowing  only  certain  forms  of  functional 
c  omoo  sit  ion  (-^hese  res  tri  ctions  will  all  be  made  more  explicit  in 
the  nex*  chapter),  these  recursive  definitions  can  be  described 
in  terms  of  least  fixed  points. 

The  use  of  least  fixed  points  to  give  meaning  to  recursiv- 
function  definitions  is  described  in  many  places  ([ dePakker 
1971b,  dePakker  and  Scott  1969,  Ponahue  197Ua,  Manna,  Ness,  and 
Vuillimin  1972,  Manna  and  Vuillemin  19"’2,  Scott  and  Strachey 
'>972  ]).  Essentially  the  meaning  of  a  definition  of  the  form 

f  =  F  (f) 

(where  F  is  a  functional,  i.e.,  ^  maps  functions  to  functions)  is 
defined  as  the  limi-f-  of  the  infinite  sequence  F^  (b)  ,  where  b  is 
"rhe  undefined  element,  i.e.,  the  function  that  produces 
"undefined”  for  each  argument,  and  the  f‘  values  are  defined  by 

FO  =  b,  *he  undefined  functional 
F  i  +  i  =  F  (FM  . 

U=ing  this  meaning  of  recursive  definitions,  we  can  form  the 
following  infinite  sequence  of  functions  to  define  the  semantics 
of  while: 

FOfwhile  b  do  st  cd^  =  b,  the  undefined  function  on  states 
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b  ^9.  (s)  = 

if  Eval(b,s)  Ihen  (F°4^whil§  b  do  st  od>  •  Ffst>)  (s)  else  s 
if  Eval(b,s)  then  b  else  s 

F^fwhile  b  do  st  cd>(s)  = 

if  Eval(b,s)  then  (F^^while  b  do  st  od>  •  Ffst>)  (s)  e^se  s 

• 

In  our  earlier  operational  description  of  w hi If f  we  allowed 
infinite  sequences  of  executions  of  the  body.  In  contrast,  this 
definition  of  while  can  be  seen  as  defining  an  infinite  s€quenc‘= 
of  functions,  each  of  which  can  be  interpreted  as  producing  an 
und“fin'=d  result  if  mere  than  some  finite  number  cf  iterations 
are  required.  This  sequence  of  functions  can  alsc  be  used  as  -^he 
basis  ■f'er  an  induction  rule  for  reasoning  about  programs  using 
denotational  definitions. 

In  its  simplest  form,  the  fixed  point  indue -^ion  rul e  is 
defined  as  follows.  Assume  we  wish  to  prove  a  property  p  of  a 
func+icn  f  defined  by 

f  =  F(f). 

If  p  (b)  holds,  and  p(f‘)  =>  p(f‘-  +  i)  where  f'=F‘-(b),  *hen  we  can 
deduce  p(f).  We  can  use  fixed  point  induction  to  prove  that  the 
program 

y  :=C  ; 
z :  =  1 ; 

while  y  ^  X  do 
y:=y-H  ; 
z :  =  z*y 
cd 

produces  a  state  such  that  s  {z}  =  £  {x}  .'  as  follows. 

For  the  only  time  in  this  thesis,  we  will  g ive  the 
denotational  semantics  of  an  entire  program  (for  reasons  that 
will  become  obvious  in  Chapter  4) : 
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Ff program^  (s)  =  F^loop^  ( (s[  y<-C  ])  [  z<- 1  ]) 


where 

Ffloop>(s')  =  if  Fval(y^x,s')  then 

Ffloop>  ( (s '[  y<-F val  (y+ 1 ,  s ' )  ]) 

f  z<-Eval  (z’^'y,  s  '  [  y<-Eval  (y+1  ,  s  * )  ])  ] 
else  s  * 

where  we  have  expanded  the  meaning  of  the  body  of  the  loop  to  its 
associated  state  transformation.  To  prove  that  the  program  is 
correct,  we  will  use  fixed  point  induction  to  prove  that  the  loop 
preserves  the  predicate  z=yJ ,  i.e.,  if  z=y.'  is  true  for  some 
state  s,  then  either  Fflcop>(s)  is  undefined  or  z=y!  is  true  of 
the  state  FflcopH^  (s)  ,  wore  formally,  the  condition  p  we  wish  to 
prove  is 

s  {z}  =  sfy}J  =>  [Fflcop>(s)  undefined 

=  >  r  (Fi:iocp>(s)  {2}  =  (FiloopXs)  )  {y}.' 

and  (FflocpXs)  )  {X}  =  (FfloopXs)  )  {y}  ]  1 

As  above,  we  can  produce  the  seguence  of  functions 

FOflcop>  =  b 

Fii:ioop>(s)  =  if  Fval(y#x,  s)  then 

FOflco  p>  (  (s[  y<-Eval  (y+ 1 ,  s)  ]) 

[  z<-Eval  (z^^y,  3[  y<-E  val  {y+ 1 ,  s)  ])  ] 
else  s 

=  if  Fval(y#x,s)  i;hen  b  else  s 

F2floop>(s)  =  if  Fval(y#x,s)  then 

^XloopX  (s[  y<-'Pval  (y+1 ,  s)  ]) 

[z<-Eval(z*y,s[y<-Eval(y+1,s)  ])  1 

else  s 


Wow,  the  condition  p  defined  above  is  obviously  true  for  b,  since 
b  produces  undefined  for  all  states.  And,  we  can  argue  that  if  p 

*  4 

is  true  for  F^i:ioop>,  it  must  be  true  for  F'-  +  ipioop>  from  a  case 
analysis  on  the  possible  values  of  the  expression  y^x.  If  the 
expression  is  false,  then  the  proposition  is  obviously  true.  The 
case  of  y^x  being  true  is  more  complex,  and  depends  on  showing 
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•that  the  assignments  made  in  the  loop  body  preserve  the  relation 
z  =  y.' .  ■p’rom  this  case  analysis,  we  can  deduce  that  p  is  true  of 
'p'i^loop>  by  fixed  point  induction.  Eut 

FfprooramXs)  =  F^loopX  (s[  y<-0  ])  [  x<- 1  ])  . 

Sc,  from  the  predicate  p  and  the  fact  that  1=0.*,  we  have  that  -^he 
program  is  correct, 

Q.F. D. 

2 . 4  Prepositional  semantics 
2. 4. 1  kg round 

One  way  to  view  the  difference  between  the  operational  and 
denotational  approach  is  to  view  the  denotaticnal  definition  as 
an  abstraction  of  essential  properties  of  the  operational 

definition.  In  the  operational  definition,  meaning  was  given  by 
a  computation  rule  for  producing  -^he  sequence  of  states  produced 
by  execu-'icn  of  a  program.  In  the  denotaticnal  definitions, 
although  we  could  regard  the  equations  as  defining  such  a 
seauence,  we  could  also  regard  the  definitions  as  giving  abstract 
func-ticns  on  states  with  no  explicit  or  implicit  ncticn  of 
S‘=quence  present.  This  was  the  essen-^-ial  distinction  between  th= 
use  of  computational  and  fixed  point  induction  in  proving 
properties  of  programs  wi-^.h  the  -^wo  definitions.  The  obvious 
question  is  whether  any  even  more  abstract  definitions  can  be 
given,  perhaps  removing  the  notion  of  state  from  the  semantic 
definition.  In  the  various  propositional  approaches  "^o 
s  =  man-^ics,  this  further  abstraction  is  made. 

The  basic  set  of  cbpects  in  the  propositional  approach, 
rather  •^han  a  set  of  "states,"  is  the  set  of  formulas  of  some 
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logical  system.  Although  we  can  regard  the  formulas  as 
statements  about  the  states  present  in  the  earlier  definitions 
(indeed,  this  is  necessary  if  we  wish  to  relate  such  definitions 
to  ones  using  operational  or  denotational  forms),  there  is  no 
r egui rement  t hat  such  an  inter pretation  be  made .  The  two  most 
important  examples  of  propositional  definitions  are  the  inductive 
assertion  method  of  program  verification  of  Floyd  [1967]  and 
Hoare's  axiomatic  approach  [1969a,  1969b,  1971a,  1972a,  1972b, 
Clint  and  Hoare  1972,  Hoare  and  Wirth  1972], 

In  the  Floyd  inductive  assertion  method,  a  flowchart  of  th^ 
proa ram  is  reguired  (thus  part  of  the  semantic  definition  is  a 
■translation  from  program  text  to  flowchart  form)  .  Then  for  each 
possible  control  path  (each  loop) ,  a  term  in  some  logical  system 
(usually  first  order  predicate  calculus)  is  provided.  These 
■terms  are  called  assertions.  A  control  path  between  assertions 
is  valid  if  the  assertions  satisfy  a  verification  condition  based 
on  the  intervening  primitive  operations  in  the  path.  If  the 
assertions  were  placed  at  the  start  node  and  end  node  of  the 
flowchart  (the  input  and  output  assertions),  then  the  validity  of 
all  control  paths  between  them  would  imply  the  conditional 
221££27n2ss  of  the  program,  i.e.,  for  all  input  satisfying  the 
input  predicate,  program  termination  would  imply  that  the  output 
satisfies  the  output  predicate,  Th=>  set  of  verification 
conditions  for  the  primitive  operations  of  the  language  are  the 
second  component  of  a  seman-^ic  description  using  this  approach. 

Hoare  captured  the  essence  of  verification  conditions  without 
reguiring  the  translation  of  the  program  text  to  flowchart  (or 
any  other  intermediate)  form  by  regarding  the  program  text  as 
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specifying  relations  between  assertions.  In  the  Hoare  system, 
statements  of  the  programming  language  are  identified  with 
relations  between  assertions,  where 

1.  atomic  statements  are  characterized  by  axioms  or  axiom 
schemas,  end 

2.  compound  statements  are  characterized  by  rules  of 
inference  with  one  or  mor<=  premisses. 

As  an  <=^xample  of  such  a  definition,  we  now  give  a  proDcsiti oral 
semar*:ics  for  our  example  language. 

2.4.2  A  sample  propositional  definition 

The  language  contains  one  atomic  statement,  assignment.  Its 
meaning  will  be  defined  by  +-h€  axiom  schema 

{P<e/x>}  x:=e  {P} 

wher<=‘  P  is  any  term  in  the  assertion  language  and  P<e/x>  is  the 
result  of  substituting  *^he  expression  e  for  all  free  occurrences 
of  X  in  P  (with  appropriate  renamings  to  avoid  name  clash«^s 
within  P) .  The  informal  interpretation  of  this  axiom  is  "if  P 
with  e  substituted  for  x  is  -^rue  of  the  state  prior  execu t i on 
of  *he  assignment  statement  x:=e,  then  P  will  be  true  of  the 
state  after  execution  of  th^  statement." 

The  meaning  of  the  compound  statements,  seguencing  and  while, 
are  defined  by  the  follcwino  rules  of  inference  (with  an  informal 
interpretation  of  each  rule) : 
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{P}  Eti  {Q},  {Q}  st2  {R} 
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;  st2 
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If  fhe  truth  of  P  guarartees  the  truth  of  Q  after  the 
execution  of  sti,  and  if  the  truth  of  Q  guarantees  the  truth 
of  F  after  the  execution  of  st2,  then  the  truth  of  P 


guarantees  the  truth  of  R  after  the  execution  of  st1;st2. 
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he  truth  of 

P  is 

preserved 
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as  a  body. 

Also , 

the  condi 

tion  b  wi 

while  statement 


execution  of  the  while.  P  is  commonly  called  the  "loop 
invariant . " 


Additionally,  we  will  reguire  a  rule  of  inference  that  will 
allow  us  to  incorporate  deductions  about  assertions  into  proofs 
of  prcqram  properties.  To  do  so,  we  will  include  in  the 
definition  the  following  rule  of  conseguence: 

If  P=>P  and  S=>Q,  then 
{R}  St  {S} 

{F}  St  {Q}. 


We  have  provided  informal  descriptions  of  the  axioms  and 
rules  of  inference  above  as  statements  about  the  executions  of 
urcgrams.  However,  strictly  th<=  definitions  relate  assertions, 
which  are  simply  logical  sta-t-ement s,  and  no  explicit  notion  of 
either  "state"  or  "seouerce"  appears  in  the  definitions.  Again, 
the  use  of  the  definition  to  prove  the  correctness  of  a  program 
illustrates  nicely  the  differences  between  propositional 
semantics  and  the  approaches  described  earlier. 
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2.4,3  ProviHS  correctness  us  1113  proposit ional  definitions 

Again  we  wish  to  prove  that  the  following  program  computes 

xJ  : 

7  :  =  1 ; 

y  :=  0; 

whilf  y#x  do 

y  :=  y+''; 
z  :=  z*y 
cd 

In  terms  of  cur  definition,  prove  the  program  correct,  we 
wish  to  show 

(true}  program  {z  =  x!}. 

To  do  so,  we  can  first  shew  that 

ftru-}  z:=1;  y:=C  {z=y;}  and 
{z=y.’  Fr  y^x}  y:  =  y+1;  z:=z*y  {z=y.'}, 
using  the  rules  fer  assignment  and  seguences  and  the  rule  of 
cen se guence.  From  +he  rule  for  while  statements  and  th^  second 

cf  the  preceding  ebser vat iens  ,  we  can  derive 

{z  =  y,’}  while  y^x  dc  y:=y+1;  z:=z=^'x  od  {z=y.'  &  y=x}  , 
and,  combining  this  with  the  first  inference  from  above,  we 
derive 

{■^.rue}  proaram  {z=y.'  F  y=x}  . 

Put  it  is  clear  that 

(z=y.'  F  y=x)  =>  (z=xi)/ 

sc  we  have  proved  -^.hat  the  program  yields  the  desired  result,  if 
i-"  ■^.‘=^rminate  s. 

An  imper-^ant  aspect  of  +his  proof  is  that  no  explicit 
induction  is  reguired.  Since  we  have  completely  abstracted  both 
•^he  s-guencing  and  the  state  from  the  earlier  definitiens,  there 
is  no  way  to  simulat«=>  the  inductive  steps  used  in  the  preceding 
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proofs.  Instead,  the  induction  necessary  to  prove  properties  of 
the  while  statement  is  made  implicit  in  the  definition  of  its 
rule  of  inference  by  requiring  the  body  of  the  while  -^o  keep  the 
assertion  P  invariant.  In  this  way,  from  an  inference  about  the 
body  of  a  while,  we  can  immediately  infer  a  property  of  the 
while,  rather  than  requiring  an  inductive  step. 

2 . 5  C c  m£l e meni.ar_y  luif  i cns 
2.5.1  Introduction 

The  most  impor'^ar.t  aspect  of  the  preceding  discussion  of  the 
various  approaches  to  semantics  is  that  each  of  the  forms  of 
semantic  description  can  be  seen  as  giving  the  meaning  of  a 
programming  language  at  a  different  level  of  abstraction.  In  th^ 
case  of  operational  definitions,  the  meaning  includes  an  explicit 
descrintion  of  the  state  and  -^he  sequence  of  transformations 
invoked  by  a  program  (a  certain  amount  of  non-determinism  in  the 
production  of  this  secuence  can  also  be  defined,  as  in  the 
definition  of  PL/I  [Lucas,  Lauer,  and  Stigleitner  1970]).  In  the 
denotational  definitions,  by  using  a  fixed  point  interpretation 
of  recursive  definitions,  the  meaning  of  the  state  remains 
explicit  while  sequencing  becomes  implicit.  And  the 
propositional  definitions  remove  even  an  explicit  no-^ion  of  state 
from  the  meanings  given. 

In  the  case  of  *he  definitions  given  above,  the  simplicity  of 
the  operational  definition  suggests  that  perhaps  the  other 
definitions  are  superfluous,  since  the  operational  semantics  give 
the  most  detail  and  seem  hardly  more  complex  than  either  of  •*:he 
other  two  definitions.  However,  it  seems  that  for  more  complex 
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languages,  the  different  levels  of  abstraction  at  which  a 
semantic  description  can  be  given  dc  affect  the  usefulness  of  the 
definition  for  particular  purposes.  The  advantages  and 
disadvantages  of  each  approach  can  be  seen  more  clearly  in  the 
definitions  of  t.lgcl-like  procedures  using  operational, 
denotaticnal,  and  axiomatic  semantics. 

2,5.2  snd  disadvantages  of  the  approaches  --an 
example 

In  an  opera-^ ion al  definition,  to  allow  the  specifica-ion  of 
the  computation  seguence  invoked  by  a  procedure  call,  the  -^-.exts 
of  procedure  bodies  are  viewed  as  data  which  must  be  represented 
in  the  state  in  some  form  {-^or  examples,  see  [lauer  1968,  Cook 
19751).  Procedure  declaration  in  an  operational  definition  is 
the  process  of  forming  an  object  of  the  appropriate  form  and 
procedure  call  involves  interpreting  a  procedure  object  as  a 
program  and  creating  the  linkages  necessary  for  parameter  passing 
and  returning  after  the  call. 

The  major  advantage  of  this  approach  to  procedure  declara-^ion 
and  call  is  that  the  operational  definition  may  provide  a 
reasonable  model  of  an  ac-^ual  implementation.  In  particular,  -^he 
linkage  mechanisms  us<^d  to  define  parameter  passing  and  procedure 
return  may  give  an  implementor  a  good  guide  to  how  procedures 
should  be  described  for  a  real,  rather  than  an  "abstract," 
machine . 

The  disadvantage  of  this  approach  is  that  the  full  gen'^rality 
of  f.lgol-like  procedures  seems  to  reguire  a  rather  complex 
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representation  for  the  procedure  objects.  [Lauer  1971]  uses  a 
simple  tex'*:ual  substitution  for  procedure  declaration,  handling 
parameter  passing  adeguately  but  with  no  provision  for  recursion, 
r Cook  1975]  defines  procedures  by  a  "procedure  environment" 
mapping  names  to  bodies  and  formal  parameter  lists.  This  handles 
recursion  properly  (with  some  added  complexity  in  the  definition 
of  call  to  insure  that  the  environment  always  contains  a 
representation  of  the  called  procedure  in  case  a  recursive  call 
is  executed  later),  but  fails  to  define  procedures  consist-n-^ 
with  the  J'lgol  scope  rul'^s  for  both  procedur^^  and  variable 
references.  [Lauer  1968]  does  provide  an  accurate  description  of 
Algol  procedures,  bu*  reguires  an  extra  state  component,  -:he 
environment  directory,  to  handle  procedures  properly  using  the 
* ree- structured  state  of  VDL  definitions.  Such  complex 
representations  can  only  obscure  the  underlying  semantic  notion 
of  a  procedure  as  a  parameterized  state  transformation  and  make 
operational  definitions  far  less  useful  to  language  designers  and 
particularly  to  casual  users,  to  whom  such  complex  definitions 
will  shed  no  light  on  how  they  should  use  procedures  to  structure 
thc-ir  programs. 

Denotational  semar.-^ics  allows  us  to  define  directly  the 
meaning  of  procedures  as  parameter! zed  state  trans for  mat ions. 
Recursion  is  readily  handled  as  part  of  the  definition,  and 
procedure  call  can  be  simply  defined  as  the  application  of  the 
meaning  of  a  procedure  declaration  to  a  set  of  arguments.  A.t  the 
expense  of  providing  a  detailed  implementation.  model,  the 
semantics  can  be  given  in  terms  of  ideas  that  are  fairly  natural 
to  a  language  designer  or  serious  user. 
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For  the  casual  user  of  the  language,  even  this  level  of 
derail  may  be  -^-co  much.  To  someone  trying  to  use  the  semantic 
definition  as  a  tool  to  structure  program  development,  the  fact 
thar  th^  state  consists  of  components  like  environments,  stores, 
and  input/output  files  may  obscure  the  logical  properties  of 
procedures  that  are  of  interest  when  one  attempts  to  write  a 
program.  Thus,  for  such  a  user,  a  propositional  definition  which 
abstracts  the  ess^^ntial  properties  of  procedures,  i.e.,  parameter 
passing  as  subs-^  it  u+ ion  and  proving  properties  of  programs 
ccn-^aining  procedure  calls  relative  to  the  properti(=s  of  th-^^ 
orocedure  bodies,  may  be  far  more  useful. 

2.5.3 

Two  asp<=cts  of  this  analysis  are  of  particular  importance  in 
deciding  how  best  to  give  the  formal  semantics  of  a  programming 
1 anguage : 

1.  Each  of  the  approaches  described  above  can  be  seen  as 
definina  -^he  semantics  of  a  language  a-^  a  particular 
level  of  abstraction,  and 

2.  The  use  of  each  of  these  levels  of  abstraction  has 
inhere n-^  implications  about  the  utility  of  the  language 
definition  for  particular  purposes. 

This  '=^trongly  suagests  that  there  is  no  single  approach  to 
seman. tics  that  can  be  used  to  give  definitions  meeting  the  needs 
oE  all  of  th‘^  us<=‘rs  of  a  semantic  description.  Instead,  tp^  best 
way  to  give  a  complete,  useful  semantic  description  seems  to  be 
by  defining  tp^  language  at  more  than  one  level  of  abstraction. 
This  is  the  main  idea  behind  the  work  described  in  the  thesis  and 
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the  reason  for  using  the  term  complementary  to  describe  •'rhe 
definitions  given.  Although  the  definitions  are  not 
complementary  in  terms  of  "level  of  abstraction,"  (i.e.,  the 
axiomatic  definition  is  definitely  more  abstract)  they  are 
complementary  in  terms  of  their  utility  for  specific  purpos^^s. 

Moreover,  in  Chapter  U  we  will  use  the  more  abstract  axiomatic 

approach  to  help  structure  the  mathematical  definition. 

Although  we  can  consider  all  three  techniques  described  above 
as  complementary,  the  work  described  in  the  thesis  focuses  on  -^wo 
of  the  three  techniques: 

1,  the  propositional  approach,  using  Hoare's  axiomatic 
method,  and 

2.  the  denotational  approach,  using  the  Scot t /Stra che y 
"mathematical  semantics," 

The  reasons  for  this  choice  include  the  following: 

1.  A  fair  amount  of  work  has  been  done  on  relating 

operational  and  denotational  semantic  definitions 
[Gordon  1973,  Milne  1974]  and  operational  and 

propositional  definitions  [Lauer  19^1,  Gorelick  1975, 
Cook  1975  ], 

2.  It  was  felt  that  the  underlying  theory  of  computation 
upon  which  the  mathematical  approach  is  built  would 
provide  advantages  in  developing  the  proofs  of 
consistency  necessary  to  claim  the  definitions  as  being 
complementary  definitions  of  the  same  language. 

3.  Finally,  it  was  claimed  by  Hoare  and  Lauer  that  one 
advantage  of  developing  complementary  definitions  and 
proving  the  definitions  consistent  was  that  the  process 
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migh-^  poir.t  up  unnecessary  complexities  in  +  he  language 
being  defined.  It  was  felt  that  by  using  denotational, 
rather  than  operational,  semantics  the  complexity 
introduced  by  the  defining  mechanism  would  be  kept  to  a 
minimum.  This,  -^h^n,  should  make  complexities  in  the 
defined  language  more  apparent.  An  analysis  of  PASCA.L 
in  terms  of  the  complementary  definitions  in  the  thesis 
is  presented  in  Chapter  6. 

P'^fore  giving  the  co rrplemen.-^ ary  definitions  of  PASCAL  usinq 
‘he  m 5 -^.hematical  and  axiomatic  approaches,  it  is  necessary  to 
qive  scm<=  basic  definitions  and  notational  conven'^ions  used  in 
•*:he  thesis. 
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Chapter  3 

Basic  Elemenrs  of  the  Lat+ice-Theoretic  Approach 


This  chapter  gives  a  description  of  the  basic  slemenrs  of  the 
lattice- theoretic  approach  to  the  theory  of  computation.  We  dc 
net  provide  motivation  for  the  use  of  complete  lattices  and 
continuous  functions  to  define  the  semantics  of  programming 
languages;  the  interested  reader  is  referred  to  [Donahue  197aa, 
Bgli  1974,  Peynolds  1972a,  Scott  1972a,  Scott  and  Strachey  1972] 
for  more  detailed  discussions  and  motivation  of  the  lattice- 
theoretic  approach.  This  chapter  also  gives  a  number  of  basic 
definitions  and  rotational  conventions  that  will  be  used  in  the 
remainder  of  the  thesis.  Proofs  of  the  propositions  given  below 
can  be  found  in  [Feynolds  1972a]. 

3 ,  1  Domains 

The  basic  data  types  in  the  lat tice-theoret ic  approach  are 
all  defined  as  complete  lattices  ordered  by  an  "approximation" 
relation. 

write  x  ap  y  to  indicate  that  x  is  an 
auproximat ion  of  y  (alternatively,  that  y  is  an 
extension  of  x) .  It  should  be  clear  that  ^  is 
reflexive,  transitive,  and  anti-symmetric. 

D  is  a  partially  ordered  set  in 
which  each  subset  X  in  D  has  a  least  upper  bound  in  D, 
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denoted  lub{X},  and  a  greatest  lower  bound  in  D,  denoted 
gib  {X} . 

domain  is  a  complete  lattice  ordered  by  the 
approximation  relation  ap. 

Notation:  For  any  domain  D,  lub  {?}  will  be  written  t  (for 

top)  ,  and  gib  {D}  will  be  written  b  (for  bottom)  . 

In  the  mathematical  semantic  descriptions  of  PASC^-.L  given  in 
Chapter  ,  all  of  the  data  types  used  will  be  complete  lattices. 
We  could  ins-^ead  have  used  complete  partial  orderings  (see  [  Egli 
1  973  ])  as  -^he  basic  s+ructure  of  domains,  but  we  have  not  for  the 
following  reason. 

In  the  definitions  of  PASCAL,  b  is  used  as  the  meaning  of  all 
programs  which  produce  non -ter minat ing  computations,  i.e. , 
infinite  loops  or  recursions.  There  are,  however,  valid  PASCA.L 
programs  which  are  clearly  erroneous,  but  do  not  produce  infinite 
computations.  For  example,  the  expression 

5  +  true 

is  syntactically  valid  PASCAL,  but  is  clearly  semantically 
"meaningless"  because  of  the  type  incompa tability  of  5  and  true. 
In  the  definitions  of  Chanter  4,  we  will  use  t  as  the  m‘=aning  of 
such  erroneous  programs.  Instead  of  relying  on  the  existence  of 
an  " o ver d ef i ned "  element  as  a  member  of  each  domain,  we  could 
have  added  an  extra  "error"  element  to  each  domain  defined  as  a 
complete  partial  order  in  g,  but  this  would  only  serve  to  make  th<= 
definitions  that  much  more  complex.  For  this  reason,  we  have 
used  complete  lattices  as  the  basic  data  type  of  the  definitions. 

Th^  following  sorts  of  domains  will  be  used: 

1.  Given  a  countable,  unorder==d  set  of  elements 
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2. 


3. 


4. 


5. 


the  primitive  domain  S  will  be  formed  by  adjoir.ing  to 

the  elements  of  s  the  values  t  and  b  and  by  defining  ap 

as : 

b  ap  si  ¥si€s 
si  ap  t  Vsies 

si  ap  sj  iff  si  =  sj  ¥si,  sj  €  s. 

If  D  and  D'  are  domains,  then  the  Cartesian  product 

domain  D  x  D'  is  defined  for  element  pairs  (d,d’)#  where 

(d1,d1’)  ap  (d2,d2') 

iff  d1  ap  d2  in  D  and  dl*  ap  d2'  in  D', 

If  D  and  D'  are  domains,  the  disjoint  union  domain 

E+r*  is  defined  by  adding  t  and  b  to  tuD'  and 
defining  ap  by 

X  ap  y  in  D  t  D'  iff  either 

a,  x,yeD  and  x  ap  y  in  D,  or 

b.  x,yer'  and  x  ap  y  in  D'. 

The  function  domain  D=>E '  is  the  domain  cf  all  functions 
from  D  to  E’  where  f  ap  g  iff  ¥deD,  f (d)  ap  g(d). 

If  E  is  a  domain,  we  will  define  the  sequence  of  domains 

EO,  El,  E2,  as  follows: 

DO  =  {nil} 

Di  =  D 

=  D  X  n>2 

The  domain  E^  can  be  interpreted  as  being  the  dcmain  cf 
lists  of  leng-^h  n  of  elements  of  E.  Also ,  we  will 
define  the  domain  D*  of  all  lists  of  elements  of  E  by 

D*  =  DO  +  El  t  D2  +  ...  +  D"  +  ... 
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3.2  Functions 


All  of  the  functions  used  in  the  remainder  of  the  thesis  will 
be  continuous,  in  terms  of  the  following  definitions. 


Definition:  A  set  X  of  a  domain  D  is  directed  iff  X  contains  a 

least  upper  bound  for  every  finite  subset  of  X. 


Definition:  A  function  f:D->D*  is  continuous  iff  for  every 

directed  set  X  of  D, 

f(i!lb_{X})  =lub»{f(x)  I  xex}  , 
i.e.,  the  function  preserves  limits. 


Dl2£2^ifien'  if  D  and  D*  are  domains,  then  the  set  of  continuou 
functions  f:D->D'  forms  a  domain  under  the  partia 
ordering 

f  ap  g  iff  ¥deD  f(d)  ap  g  (d) . 

The  domain  of  con+inuous  functions  from  D  to  D'  will  be 
denoted  r)->D'. 

The  notation  we  will  use  throughout  the  thesis  to  define 
functions  is  derived  from  Algol  68,  rather  than  the  more  common 
lambda  notation.  The  relation  between  our  notation  and  lambda 
expressions  is  the  following. 


Notation:  For  untyped  lambda  expressions  (used  when  the 

domain  of  the  argument  is  clear  from  the  context) , 

Ax. body  =  (x):body. 

For  -^yped  lambda  expressions,  if  D  is  a  domain, 

AxSD.body  =  (D  x):body. 

For  a  seguence  (x1,  x2,...,  xn)  of  arguments 
A(x1 ,. . . ,xn) . body  =  (x1 ,. . . ,xn) :body. 

For  "Curried"  functions 

Ax1.Ax2.  ...Axn.body  =  (x1  ;  x2  ; .  . .  ;  xn)  :  body . 

Also,  if  f  is  a  function  of  type  D->D' ,  its  definition 
will  be  written  as 

f  =  (D  X)  :D’  body,  or 
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f  (x)  =  body,  or  func  f  (x)  :body. 

Additionally,  to  make  the  rather  complex  formulas  of  Chapter  4 
easier  to  read,  the  followina  conventions  will  be  followed  when 
givino  function  definitions.  First,  definitions  of  the  form 

(x) :  body 

will  frequently  be  written  as 

func  (x) :  body, 

simply  to  make  the  fact  that  a  function  is  being  defined  more 
noticeable  to  the  reader.  Also,  in  cases  where  the  body  of  a 
funcricn  is  rather  long,  we  will  bracket  the  function  body  with 
the  symbols  begin  and  end. 

f iniilon  •  ^  function  f:D->D'  is  said  to  be  strict  iff  f(b)=b. 

f  is  said  to  be  doubly  strict  iff  f  (b) =b  and  f(t)=t. 

There  is  an  obvious  relation  berween  doubly  strict  functions 

and  the  "call-by- value"  computation  rule.  Unfortunately,  we  car. 

net  define  functions  of  several  arguments  to  be  doubly  strict  in 

each  argument,  i.e.,  if  a  function  produces  b  when  one  of  its 

arguments  is  b,  then  it  can  not  produce  t  when  ancther  of  its 

arguments  is  t. 

ini  tioH  *  function  f:T)->D'  (where  D  may  be  a  Cartesian 

product  domain)  is  said  to  be  a  call- by^Znin^ 

Ifsilictign  of  f*:D->D’  iff 

1.  f(x)=b  if  any  of  the  components  of  x  is  b,  and 

2.  f (x) =t  if  none  of  the  components  of  x  is  b  and  any 
of  the  components  of  x  is  t,  and 

3.  f  (x)  =  f*  (x)  otherwise. 

Seme  of  the  functions  commonly  used  in  the  thesis  include: 

1.  The  conditional  if  p  then  el  else  e2  defined  for  the 

primitive  domain  Bool  =  {b,  true,  false,  t}  is  the 
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doubly  strict  extension  of  the  conditional  used  in 
Chapter  2 ,  i . e. , 

^  e2  is  b  and 

if  t  l.h en  e  1  else  e  2  is  t . 

Note  that  the  conditional  is  not  call-by- value  on  its 
second  and  third  arguments. 

2.  If  f  is  a  function  of  type  E->C* ,  then  f[ x<-e  ]  is 
defined  as 

f f  X  <-  e  ]  =  func(d):  if  d=x  then  e  else  {d)  . 

This  can  he  read  as  "substitute  e  for  x  in  f."  T^lso,  if 
f  is  a  function  of  tyre 

f '  :D  ->  [ D'  ->  D" ] 
then  *-he  function 

f  '[  X  (v)  <-  e  ] 

is  defined  as: 

f'rx(v)  <-  el  =  func(d,d’): 

be3in 

if  d  =x  +h en 

if  d'=v  then  e  else  f  (d;d') 
else  f '  ( d ; d ' ) 

end 

3.  Tfr=D1  +  ...  +Dn+  ...f  then 

a.  For  any  deD,  the  projection  of  d  into  Dn ,  written 

d  to  Dn  of  type  D->rr,  is  defined  as: 

^  ^  corresponds  to  d'0Dn,  or 

h  if  d  does  not  correspond  to  any  d'eDn. 

b.  For  any  d'€Dn,  the  injection  of  d'  into  D,  written 
d’  in  E  of  tyre  Bn->r,  is  defined  as: 

d'  in  E  =  d,  where  dSD  corresponds  to  d'. 

c.  For  any  d€E,  the  inspection  of  En  for  d,  written 
d  is  Dn  of  type  D->Eool,  is  defined  as: 
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d  is  Dn  =  true  if  d  corresponds  to  some  d'eDn, 
false  if  d  does  not  correspond 
to  any  d*€Dn, 

All  of  these  functions  are  doubly  strict  in  their  first 
a  rgument . 

4,  We  will  use  the  following  "LISP-like"  functions  on 
arbitrary  lists  (elements  of  D*  for  any  domain  D) : 

a.  The  head  of  a  list  in  D*  is  denoted  by  the  function 

hd:C*  ->  D 

which  returns  the  first  element  of  its  argument,  or 
t  if  the  list  is  empty. 

b.  The  tail  of  a  list  in  D*  is  denoted  by  the  function 

->  D* 

which  returns  the  remainder  of  the  list  after  the 
first  element  is  deleted.  Again,  if  the  list  is 
empty,  the  value  re+-urned  is  t. 

c.  Tc  add  a  member  of  P  to  a  list  in  D=«',  the  functions 
append  and  prefix  are  used. 

append tfP*  x  P]  ->  P* 

takes  -^he  value  of  its  second  argument  and  appends 
i*-,  to  the  list  denoted  by  the  first  araument. 
prefix: [P  x  P*]  ->  P* 

takes  the  value  of  the  first  argument  and  p laces  it 
at  the  h^ad  of  the  list  denoted  by  the  second 
argument . 
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3 . 3  Excursion 


3.3.1  Pecursively  defined  domain  elements 


Tha  semantic  equations  for  PT^.SCAL  in  Chapter  4  will  make  use 
of  a  number  of  recursive  definitions,  similar  to  the  definition 
of  the  while  statement  in  the  previous  chapter.  This  section 
describes  the  meaning  of  such  definitions  in  terms  of  least  fixed 
points. 


Notation:  Recursive 

def init ions 

will 

be 

written  u 

sing  the 

notation 

X  =  rec  f  (x) 

to  denote  the 

recursive  definition 

of 

the  domain 

ele  ment 

X  in  terms  of 

the  function 

f . 

The 

mean ing 

of  the 

preceding  equation  will  be  that  x  is  defined  as  the 
£oint  of  f  in  terms  of  the  following 

definition. 


•  Consider  a  function  f:D“>D  for  some 
xCD  is  a  fixed  £oint  of  f  iff  x  =  f(x). 
xO  of  f  is  a  least  fixed  point  iff  for  all 
X  =  f  (x)  implies  xO  a_p  x. 


domain  D. 
A  fixed 
x€D, 


Then 

point 


Preposition:  If  f  is  a  continuous 

domain  D,  ■•“hen  f  has 
Moreover,  the  least  fixed 
iteration  formula 

X  =  lub  {f  (b)  I 

where 

f  0  (b)  =  b 

fn+i  (b)  =  f  (f^  (b))  . 


function  of  type 
a  least  fixed 
point  X  =  f  (X)  is 


r->D  fer  seme 
point  in  D. 
given  by  the 


n=0 ,1,2,...} 


3.  3.  2 


Pecursively  defined 


doma ins 


In  additio 
semantics  give 
defined  demai 
defining  the 
discussions  o 
examples  of  th 


n  to  using  recursively  defined  domain  elements,  the 
n  in  Chapter  4  will  also  make  use  of  recursively 
ns,  particularly  in  the  specification  of  domains 


various  syntactic 

structures 

used . 

Detailed 

f  the  construction 

of  such 

domains  and 

nume  rous 

eir  use  are  given  in 

[ Reynolds 

1972a,  Scott 

197  la]. 
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B^low  we  will  give  a  basic  description  of  the  meaning  which  will 
be  given  to  these  recursive  domain  equations. 


Def  in 


i^ssume  a  basic  set  of  domains  El,..., Em.  We  say 
that  T  (D)  is  a  domain  transformation  over  El,..., Em  and 


the 

d  omain 

variable 

D  iff 

1. 

T 

(D) 

=  Ei  for 

some  E; 

2. 

T 

(D) 

=  D ,  or 

3. 

T 

(D) 

=  T1  (D)  + 

T2  (D) 

transforma  tions 

4. 

T 

(D) 

=  T1 (D)  X 

T2  (D) 

transformations 

c 

T 

(E) 

=  T1 (D)  - 

>  T2  (D^ 

transformations 


e  {El , . . . ,  Em}  ,  or 

where  T1  and  T2  are  domain 
over  El,..., Em  and  D,  or 
where  T1  and  T2  are  domain 
over  B1,...,Em  and  D,  or 
,  where  T1  and  T2  are  domain 
over  B1,...,Em  and  D. 


Essentially,  the  set  of  allowable  domain  transformations  are 
the  expressions  that  can  be  formed  from  the  basic  domains,  the 


domain 

variable  D, 

and  the  operators  +,  x,  and  ->. 

We 

will  give 

meaning 

to  a  domain 

definition  of  the  form  D  = 

T(D) 

as  t  he 

i nyer se 

limit  o  f 

a  retraction  sequence,  using 

t  he 

following 

definitions. 
Def ini 


on:  An  infinite  seguence  of  domains  DO,  D1,  ...,  and 

functions  f1:D0->D1,  f2:t1->D2,  ...,  and 
q1:D1->D0,  g2:D2->D1,  ...,  are  a  retraction  sequence , 
written 

DC<-f 1,g1->D1<-f2,g2->D2  ... 
iff  for  all  i: 

a.  VdeDi-1  qi(fi(d))  =  d,  and 

b.  Vd'eri  gi-1  (fi-1  (d •) )  ap  d'. 

Essentially,  retraction  sequences  map  each  element  of  a 
domain  Di-1  into  its  exact  image  in  Di  and  map  each 
element  of  the  domain  Di  into  its  "approximate"  image  in 
Di-1 . 


inverse  limit)  of  a  retraction 

sequence 

D0<-f 1,g1->D1<-f2,g2->D2  ... 
is  the  partially  ordered  set  Dinf  of  infinite  sequences 
Dinf  =  {<xC,x1,...>  I  (Vn>0)  (xneDn  and  xn=qn  (xn-*- 1)  }  , 


P r cpo s ii.i on :  The  inverse  limit  Dinf  is  a  complete  lattice  under 
the  partial  ordering  x  a£  y  iff  xn  a£  yn  for  all  n. 
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Proposition:  Let  DO,  D1,  •••  be  the  sequence  of  domains 

DO  =  {b} 

D1  =  T(DC) 

D2  =  T  (D1) 

• 


Dn  =  T(Dn-1) 

for  any  domain  transformation  T  over  basic  domains 
B1,...,Bm  and  the  domain  variable  D.  Then 

a.  there  exist  functions  f1,f2,...  and  g1,g2,... 
such  that  the  domains  Di  and  the  functions  fi  and 
gi  form  a  retraction  sequence,  and 

b.  Dinf  is  isomorphic  to  T  (Dinf) . 


Proposition:  For  any  domain  transformation  T  (D)  ,  there  exists  a 
domain  D  such  that  D  =  T(D),  where  '*  =  "  is  read  as  "is 
isomorphic  to."  This  domain  is  exactly  the  domain  Dinf 
defined  above. 

We  will  use  this  construction  of  recursively  defined  domains 
to  -justify  our  use  of  "structural  induction"  in  Chapter  5.  We 
now  present  the  definitions  of  the  PASCAL  subset. 
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Chapter  4 

Complementary  Definitions  of  a  PJ^.SCAL  Subset 


4  .  1  In tro duc-^  ion 


In  this  chapter,  the  semantics  of  a  large  subset  of  PT^SCAL  is 
aiv-^n  using  the  axiomatic  and  mathematical  approaches  to  semantic 
descriu-^icn.  For  the  benefit  of  readers  who  may  be  unfamiliar 
wi  +  h  either  or  both  of  these  formal  seraan'^ic  definition 
nechniques,  we  begin  by  giving  an  informal  description  of  '■he 
lanauage,  following  the  basic  style  of  the  Algol  60  Feport  [Naur 
1963  1  and  the  Eevised  PASCAL  Feport  [ Wirth  1973a].  Following  the 
informal  description  of  +he  language,  the  formal  presentations  of 
i s  semantics  are  given , 

The  language  defined  below  is  both  a  subser  and  a  dialect  of 
PASCAL,  First,  we  have  omitted  many  PASCAL  consrructs  from  the 
language,  primarily  to  reduce  the  size  of  the  presentation.  For 
example,  in  this  thesis  we  do  not  consider  the  semantics  of 

1.  -^he  character,  reel,  and  pointer  data  types  of  PASCAL, 
or 

2.  records,  sets,  or  file  structures. 

In  th^  informal  description  given  below,  we  will  note  several 
other  aspects  of  PASCAL  that  have  been  omitted  from  the  thesis. 
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Also,  in  several  cases,  we  have  redefined  the  semantics  of 
constr’jcts  in  the  PASCAL  subset  from  their  meaning  given  in 
fwirth  1973a].  For  example,  rather  than  defining  the  full  input 
and  output  facililies  of  PASCAL,  cur  language  includes  only  a 
limited  facility  to  read  and  print  integers.  These  changes  from 
•f^ull  PASCAL  have  been  made  for  two  reasons: 

1.  Some  of  the  features  of  the  language  present  no 
theoretical  difficulty,  but  have  been  deleted  or 
simplified  to  shorten  the  presentation  and  tc  avoid 
introducing  excess  detail  in  the  definitions  and  proofs. 

2.  Seme  of  the  restrictions  or  redefinitions  have  been  made 

because  the  constructs  involved  can  be  shewn  *o 


then,  we  ask  the  reader's  forbearance 


In 


ies.  In 

Ch 

apte 

r  6, 

results 

of 

this 

gs, 

,  and 

w 

ill 

make 

s 

• 

chapte 

r. 

U 

ntil 

uage  whic 

h 

foil 

ows , 

s  : 

Imposed 

a 

nd 

some 

• 

Fela  ti 

ve 

ly  m 

inor 

ng 

the 

info 

rmal 

r 

restrict 

ions 

on 

nformal 

de 

f  ini 

tion 

and  motivated  in  more  detail  in  section  U.2.6. 


4,2  An  informal  description  of  the  PASCAL  subset 


A  PASCAL  program  is  a  seguence  of  declarations  followed  by  an 
executable  statement  denoting  the  algorithm  to  be  performed.  The 
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declarations  serve  to  introduce  new  nomenclature  ir.  tb.p  program 
by  naming  either  new  variables  (data  objects),  new  f unct ions 
(parrs  of  a  program  tha"^  compute  scalar  values,  activated  by 

function  designators) ,  new  Erocedures  (named  parts  of  a  program 

activated  by  a  procedure  designator),  or  new  labels  (defining 
statements  '=xecu*ed  by  a  go-^c  command).  In  our  PASCAL  subse*  , 
prcorams  read  data  from  an  input  file  and  write  data  to  an  output 
file.  The  result  of  a  PASC?.!  subset  program  is  the  output  fil- 
produced . 

Statements  arc  -^he  operational  units  of  the  languaac.  The 
basic  sta-^.ements  include  assignment  statements  (replacing  •^h'= 
current  value  of  a  variable  wi-^h.  a  new  value),  goto  statements 
(causing  an  explicit  transfer  of  control  to  a  labelled 

s*:a*ement),  procedure  designators  (calling  for  the  execution  of 

the  program  part  defined  by  a  procedure  declaration),  read 


statements 

(to 

place 

he  next  value  from 

t  h 

e  input  file 

into  a 

variable)  , 

and 

wr  i'^e 

3 

tatements  (placing 

the  value 

of  an 

expression. 

at 

the 

“^nd 

of  the  output 

fi 

le)  ,  These 

b  asic 

state  me nts  can  be  formed  into  structured  statements  including 
conditional,  compound,  and  repetition  statements  (allowing  both 
bounded  and  unbounded  iteration). 

The  final  basic  syr.-^actic  unit  in  the  language  is  that  of 
OH£2£ions.  An  expression  is  a  rule  for  a  computation  producing 
a  scalar  value.  The  basic  components  (o^^rands)  are  the 
variables,  constants,  and  function  designators  of  the  language. 
A  large  variety  of  CEera+ors  is  provided  to  produce  complex 
structured  expressions.  The  values  produced  by  the  computation 
of  expressions  are  either  integers  or  Booleans, 
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U . 2 , 1  Basic  concepts 
Basic  values 


Th=  language  contains  two  types  of  basic  values: 

1.  the  set  of  truth  values,  or  Booleans,  with  elements  true 
and  false. 

2.  the  set  of  integers, 

*1,  0,  1,  •«« 

For  each  implementation,  however,  the  integers  will  be 
restricted  to  a  finite  subset  of  values 

min_int,  ...,  -2,  -1,  0,  1,  2,  ...,  max_int. 


U.2.1.2  Identifiers 

Identifiers  are  used  to  denote  variables,  procedures, 
functions,  and  labels  (this  is  a  slight  change  from  the  Pevised 
Peport)  ,  and  have  no  inherent  meaning. 

<iden+ifier>  ::=  <letter>  {<letter>  |  <digit>} 
where,  following  [Wirth  1973a],  we  use 

{  <producticn>  } 

to  denote  zero  or  more  occurrences  of  members  of  the  set  of 
strings  defined  by  the  enclosed  production. 


4.2.2 

4.2.  2.  1  Vaiisbles 

Variables  are  names  given  to  data  objects  manipulated  by  the 
program,  P.  variable  may  denote  either  a  single  scalar  guantity, 
or  it  may  denote  a  composite  value  from  which  components  may  be 
selected.  Our  subset  of  PJ-SCAL  allows  only  one  dimensional 
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arrays  as  composite  values.  The  syntax  of  variables  is  th<=^ 
f  oil owing : 

<variable>  ::=  <identifi€r> 

I  <identifier>  [ <expr ession>  ] 

the  first  case,  ^he  meaning  is  to  reference  the  entire  data 

object  denoted  by  the  variable,  while  the  second  form  is  used  to 

s'=lec-^.  a  component  from  an  array. 

4  ,  2.  2 . 2  li3Lct  ion  desd,3ra  tors 

The  oth^r  basic  expression  is  the  function  designator, 

srecifying  the  activation  of  a  function.  The  name  of  'he 

function  and  the  arguments,  which  must  all  be  expr-s sicn s  or 

array  identifiers  (again,  this  is  a  restriction  of  full  PASC^.L)  , 

are  given  using  the  following  syn-^ax: 

<function  d€signatcr>  <identifier>  (<value  list>) 

<value  list>  : ;=  <empty> 

I  <value>  {,<value>} 

<value>  :;=  <identifier> 

I  <expression> 

The  arguments  *0  functions  are  all  evaluated  before  the  function 
body  is  invoked.  Although  we  allow  arrays,  as  well  as  scalar 
values,  to  be  passed  to  functions,  the  result  of  a  function,  must 
be  a  soalar,  not  an  array. 

4.2.2. 3  raters 

Th=  syntax  of  compound  expressions  is  the  following 
(reflecting  the  usual  rules  of  operator  precedence  and  left-tc- 
right  =»valuation)  : 
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<factor>  <variable> 

1  <functioii  designator> 

I  <unsignGd  constaiit> 

1  (  <expression>  ) 

I  -1  <factcr> 

I  eof 

is  a  globally  declared  identifier  which  is  true  iff 
the  input  file  is  empty.  This  is  a  minor  restriction 
of  the  eof  function  of  Pi^SCAL,  which  can  be  applied  to 
arbitrary  files  declared  in  a  program, 

<term>  ::=  <fac'^or> 

I  <term>  <multiplying  cperator>  <factor> 

<simple  expression>  : :=  <term> 

I  <simple  expression> 

<adding  operator>  <term> 

I  +  <term> 

I  -  <term> 

<expr<^ssion>  :  :=  <simple  expression> 

I  <simple  expression>  <relaticnal  cperatcr> 
<simple  expression> 

The  various  operators  are  defined  as  follows: 

1.  -•  is  the  Boolean  negation  operator. 

2.  The  multiplying  operators  producing  terms  are 

<multiplying  operator>  ::=  *  |  diy  |  mod  |  Z 


The 

se 
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espe 
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ope 
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cat  io 
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and 

Poo 
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.  The 

cute 

erne 

of 

any 
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result 

less 

than 

min 
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gre 

at  er 

than 

max 
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an  implementat 
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fine 
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:=  +  1  - 

1  I 

The 

se  d 
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♦=  us 

ual 

integer  addition  and 
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and 

Bool 

ean  d 

isj 

unct 
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operator: 

3,  Additio 

nail 

Yr 
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used  as  unary  operators,  +  denotes  the  identity 
operation  on  integers  and  -  denotes  sign  inversion. 

u.  The  following  relational  operators,  producing  Boolean 
values,  are  provided. 

<relaticnal  op€ratcr>  ::=^|=|<|<|>|> 

ti.  2.  3  Statements 

Statements  denote  the  algorithmic  actions  performed  by  -^he 
proa  ram.  They  consist  of  simple  statements  and  structured 
statements . 

<sta*€ment>  ::=  <simple  statement> 

I  <structur€d  sta+-ement> 

Simple  statements 

The  simple  statements  in  the  language  are  the  ass  ignmen*^, , 
procedure  designation,  aoto,  empty,  read,  and  write  statements. 

<simple  stat€ment>  ::=  <assignment  stat€ment> 

I  <procedure  statement> 

I  <gcto  stateraent> 

I  <empty  statement> 

I  <read  statemGnt> 

I  <write  statement> 

An  assignment  statement  causes  the  current  value  of  a 
variable  *c  be  replaced  with  the  value  specified  by  an 
expression. 

<as3ignment  state!rient>  ::=  <variable>  :=  <expressicn> 

Procedure  statements  cause  -^he  procedure  denoted  by  the 
procedure  identifier  to  be  executed.  The  statement  may  also 
contain  a  list  cf  arguments,  variable  arguments  and  value 
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to  be  substituted  for  the  parameters  in  the  procedure 
declaration . 

<procedure  statement>  ::=  <identifier> 

(<identifier  list>  :  <value  list>) 

<ider.tifier  list>  ::=  <empty> 

I  <identifi9r>  {, <iden tifi9r>} 

This  form  of  argument  list  is  not  standard  PASCAL,  but  instead  is 
borrowed  from  [Hoare  197ia].  Arguments  to  the  rioht  of  the  colon 
are  value  arguments.  The  corresponding  parameter  represents  a 
variable  local  to  the  body  of  the  procedure  which  is  initialized 
■^c  the  valu^^  of  the  corr ^^s pondin g  argument  at  “^he  time  of  each 
procedure  invocation.  As  with  function  designators,  we  use  a 
value  list  for  the  syntax  of  value  arguments  to  allow  arrays,  as 
well  as  scalars,  to  be  pa ssed  as  value  arguments.  Arauments  to 
the  left  of  the  colon  are  v§=i:Sble  arguments,  and  the 
correspond ina  parameter  represents  the  variable  denoted  by  the 
arqum=>nt  identifier  during  the  execution  of  the  procedure,  i.e., 
variable  arguments  may  be  changed  by  th<=  procedure. 

The  defini+ion  of  procedure  designators  does  not  allow  array 
elements  to  be  passed  as  variable  arguments,  since  the  variable 
arauments  to  procedures  must  be  identifiers,  no-^  variables. 
Additionally,  we  reguire  tha-^  : 

1.  all  variable  arguments  to  a  procedure  are  distinct 
identifiers,  and 

2.  no  identifier  appearing  in  the  variable  arguments  to  a 
procedure  appears  in  the  value  arguments  to  the 
procedure. 
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These  restrictions  on  allowable  argument  lists  are  taken  from 
[Hoare  1971a],  See  section  4.2.6  for  a  further  discussion  of 
rhese  restric*:ions. 

Goto  statements  cause  the  statement  labelled  by  the  label  of 
the  goto  to  be  the  next  statement  executed. 

<go‘^c  statement>  ::=  30to  <latel> 

<label>  ; :=  <iden*ifier> 

The  go*o  used  in  this  PASCAL  subset  differs  from  standard  PA.SCA.L 
in  rwc  respects: 

1.  labels,  rather  than  being  unsigned  ir-^egers,  are 
identifiers.  This  is  a  minor  syntactic  revision. 

2,  after  termination  of  the  statement  to  which  control  is 

transferred  by  the  goto,  the  block  in  which  the  label 
occurs  is  terminated.  This  fcrm  of  the  goto  as  an 

"=scape"  is  similar  to  that  of  [Clint  and  Hoare  1973], 
See  section  ii.2,6  for  a  further  discussion. 

The  empty  statement  denotes  no  action, 

<empty  sta*ement>  ::=  null 

The  read  statement  causes  the  next  value  in  the  input  file  to 
b=  assigned  +o  a  variable. 

<read  statement>  ::=  read  <variable> 

Hcte:  This  is  a  rather  substantial  simplification  of  the  file 

handling  facilities  of  full  PASCAL,  bu-^.  is  introduced  tc  allow 
simple  input  and  output. 

The  write  statement  places  the  value  of  the  expression  at  the 
end  of  the  output  file. 

<write  statement>  ::=  write  <expr6ssion> 


A.gain,  this  is  a  substantial  simplification  of  the  PASCAL  input  i 
and  output  facilities.  j 

i 

u , 2, 3 . 2  Structured  statements  ! 

The  structured  statements  of  the  PASCAL  subset  include  i 

conditional,  repetition,  and  compound  statements. 

<structured  statement>  ::=  <conditional  statem9nt> 

I  <repetition  statement> 

I  <compound  statemsnt> 

The  conditional  statement  causes  statements  to  be  executed  or 

skipped  depending  on  the  tru+h  of  a  condition,  which  must  be  an 

expression  that  evaluates  to  a  Boolean  value.  i 

<ccnditional  stat6ment>  :  :=  if  <expression>  then  <statemen-^  list>' 

else  <sta'^ement  list>  fi 

<statement  list>  ::=  <statement>  { ;<statement>}  ' 

Note:  fi  is  not  a  part  of  standard  PASCAL.  Also,  the  case 
statement  of  PASCA.L  has  been  omit-^ed  from  the  subset  used  in  this 
thesis . 

execu  +  ed  repeatedly.  The  number  of  repetitions  be  performed 

is  determined  from  repeated  execut ion  of  a  Boolean  e xpre ssio n  in 
the  while  statement  or  from  the  initial  and  final  values  of  the 
control  variable  in  the  for  statement. 
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<ropetition  stat9iner-t> 


::=  <whil9  statGment> 

I  <fcr  stateinent> 

<while  statemeTit>  ::=  while  <expression>  do  <statemGnt  list>  od 

<for  stateinen-*:>  ::=  for  <identifiGr>  :=  <lnitial  value> 

to  <firal  value>  do  <statGmGnt  list>  cd 

<initial  valuG>  <exprGssion> 

<final  valiiG>  :  :=  <Gxpressior.> 

Note:  -^he  dcwnto  option  of  the  for  statement  and  the  repeat 

£-atement  in  standard  P?-.SCAL  have  been  omitted  from  the  subset. 

Compound  statements  specify  that  the  statements  are  to  be 
executed  in  the  sequence  written. 

<compound  statement>  :  :=  bepin  <s-tatement  lis-^^  end 

u, 2.  u  I^claratipns 

4.2.4, 1  Procedure  declarations 


A  procedure  declaration  defines  parts  of  programs  and 
associates  identifiers  with  them  so  that  they  can  be  activated  by 
procedure  statements. 

<procedure  declaration>  : :=  <procedure  heading> 

<procedur8  or  function  bcdy> 


<procedure  or  function  body> 

<variable  declaration  part> 

< label  declaration  part> 

<prccedure  and  function  declaration  part> 
<statement  part> 

<procedurG  heading>  ::=  procedure  <identif ier>; 

i  £I2cedure  <identifier> 

(<formal  parameter  list>) ; 


<fcrmal  parameter  list>  ::=  <id€ntifier  list>  :  <identifiGr  list> 


The  procedure  heading  specifies  the  identifier  naming  the 
procedure  and  the  formal  parameters  of  the  procedure.  All 
parameters  to  the  left  of  the  colon  are  taken  as  variable 
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parameters,  those  to  the  right  of  the  colon  as  value  parameters. 
Note:  The  use  of  the  colon  to  separate  variable  and  value 
arguments  is  a  minor  syntactic  extension  of  PASCAL. 

We  will  impose  the  following  restrictions  on  procedure 
declarations : 

1.  All  of  the  identifiers  in  the  formal  parameter  list  must 
be  distinct.  This  is  a  rather  trivial  reguirement  (not 
mentioned  in  [Wirth  1973a])  that  is  easily  justified  as 
avoiding  the  confusion  of  having  the  same  name  refer  to 
more  than  one  value. 

2.  The  value  parameters  may  not  appear  either  on  the  left- 
hand  side  of  assignment  statements  (except  in  subscript 
expressions,  of  course),  nor  as  variable  arguments  to 
procedures  called  from  within  the  procedure  body,  nor  in 
read  statements.  In  other  words,  the  value  parameters 
may  not  be  changed  within  the  procedure, 

3.  No  references  to  global  variables  are  allowed  within 
procedure  bodies.  All  variables  referenced  wi'^hin  a 
procedure  must  either  be  formal  parameters  or  variables 
declared  locally  to  the  procedure  body. 

^^*3  procedure  parameters  are  not  allowed. 

5,  Procedures  may  only  reference  procedures  and  functions 
declared  previously  in  the  program  text  (nc  mutually 
recursive  system  of  procedures  can  be  constructed  in  the 
subset) . 

See  section  4.2.6  for  a  further  discussion  of  these  restrictions. 

The  variable  declaration  part  contains  all  of  the  simple 
variables  and  arrays  local  to  the  procedure. 
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<variablG  declaration  part>  ::=  <variablG  declaration> 

<array  declaratior.> 

<variable  declaraticn>  ::=  <empty> 

I  <identifier>  <idGn+:  if ie r>}  ; 

<array  dGclaration>  ::=  <empty> 

!  array  <identifier>  <id€ntif ier >} ; 

Note:  type  definitions  and  type  declarations  for  variables  are 

nc^  included  in  the  PT^.SCAL  subset.  In  Chapter  6,  we  will  discuss 

the  extension  of  the  definitions  to  handle  PASCAL  type-  and 

ranqe -checking .  Also,  arrays  do  nor  have  bounds  associated  with 

■^hem  and  may  "grow"  during  the  execution  of  a  program.  Again, 

this  characteristic  of  the  subset  will  be  discussed  in  Chapter  6. 

The  label  declaration  part  specifies  the  statement  associated 
wi*:h  each  label  to  which  control  can  be  transferred  by  goto 
stat-^:m9nts  within  the  sta*em€nt  part. 

<label  declaration  par'^>  ::=  {label  <id  ent  if  i  er>  :  <3tat  erne  n-^  >  ;} 

Label  declarations  in  the  PASCAL  subset  are  not  inherited  by 
int'=^rnal  procedures  or  func-^-ions.  Thus,  it  is  not  possible 
either  to  transfer  control  into  a  procedure  body  or  to  -terminate 
abnormally  a  procedure  or  function  by  transferring  control  to  a 
globally  declared  label.  This  is  a  substantially  different 
interpretation  of  labels  from  tha-^  of  standard  PASCAL  and  will  be 
discussed  further  in  4,2.6  and  Chapter  6. 

The  procedure  and  function  declaration  part  specifies  all 
procedure  and  function  declarations  local  to  the  procedure. 

<procedure  and  function  declaration  part>  ::= 

{<procedure  or  function  declarat ion> ; } 

<uroc€dure  or  function  declaration>  ::=  <procedurG  declaration> 

I  <function  d6claration> 


-53- 


The  statement  part  specifies  the  action  to  be  performed  when 
■^he  procedure  is  activated.  Use  of  the  procedure  identifier  in  a 
procedure  statement  within  the  statement  part  implies  recursive 
activation  of  the  procedure. 

<statemen+  part>  : ;=  <compound  statement> 

U.2.  4.2  ZlJUctipn  declarations 

Function  declarations  serve  to  define  parts  of  a  program  that 
compute  scalar  values.  Functions  are  activated  by  the  use  of  a 
function  designator,  described  in  section  4. 2. 2. 2. 

<function  declaration>  ::=  <function  heading> 

<procedure  or  function  body> 

<func“t-ion  heading>  ::=  function  <iden t if ier> ; 

I  fy^ctipn  <identifier> 

(<identifier  list>) ; 

within  the  function  declaraticn,  the  use  of  the  function 
identifier  as  a  variable  is  allowed.  The  final  value  of  the 
function  is  the  final  value  of  this  variable.  Use  of  the 
function  identifier  as  a  function  designator  within  the  statement 
part  of  the  function  implies  recursive  activation  of  the 
function.  Note:  the  use  of  the  function  identifier  as  a 

variable  in  the  function  body  is  a  minor  generalization  of 
P  7^.  SCAT. 

We  will  impose  the  following  restrictions  in  function  bodies: 

1.  Pll  parameters  to  a  function  will  be  interpreted  as 
value  parameters.  Like  procedures,  this  means  that  no 
parameter  may  appear  in  the  left-hand  side  of  assignment 
statements,  in  variable  argument  lists  in  procedure 
calls,  or  in  read  statements  within  the  function  body. 
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;\s  with  procedures,  we  disallow  function  and  procedure 
parameters  and  global  variable  references  within  the 
procedure  body. 

3.  Also,  we  will  disallow  read  and  write  statements  within 
function  bodies  and  procedures  called  from  within 
functions.  In  conjunction  with  disallowing  global 
variable  references  and  procedure  parameters,  this  will 
guarantee  that  all  functions  are  without  side-effects. 

4.  2.  5  PlSSIsms 

A  PASCAL  program  is  a  procedure  declaration  with  a  slightly 

different  heading. 

<program>  ::=  <program  heading> 

<prcc€dure  or  function  body>. 

<prcgram  heading>  ::=  program  <identif ier> ; 

This  completes  the  informal  introduction  to  the  PASCAL  subset. 

4.2.6  Hestrict ions  revisited 

4.2.6. 1  Procedures 

Pecapitulating  frcm  above,  we  have  placed  the  following  major 
restrictions  on  the  declaration  and  use  of  procedures  in  the 
PASCAL  subset: 

1.  No  global  variable  references  are  allowed, 

2.  Value  parameters  may  not  be  changed  within  procedure 
bodies, 

3.  No  function  cr  procedure  parameters  are  allowed. 
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4.  Variable  arguments  to  procedures  must  be  identifiers, 
i.e.,  array  elements  are  not  allowed  as  variable 
arguments , 

5.  The  variable  argument  list  may  net  contain  multiple 
occurrences  of  the  same  identifier, 

6.  No  variable  argument  may  appear  in  the  value  arguments 
in  a  procedure  call,  and 

7.  Procedures  (and  functions)  may  reference  only  procedures 
and  functions  that  have  been  previously  declared  in  the 


prog 

ram  text. 

We  now 

give 

a  more 

thorough  rationalization 

for 

restricting 

PT^SCAL 

subset 

procedures  to  those  satisfying 

the 

conditions 

imposed 

above 

• 

The 

restr 

ictions  on 

function  and  procedure  paramet 

ers  and  the 

inability  to  reference  procedures  and  functions  declared  la te r  in 
the  program  text  are  primarily  restrictions  of  convenience  to 
shorten  the  presentation.  In  both  cases,  the  changes  required  in 
th^^  mathematical  definitions  given  below  would  not  be  overly 
complex,  particularly  because  of  the  simple  form  of  procedures 
and  functions  allowed  in  the  PASCAL  subset.  However,  to  give 
axiomatic  definitions  of  such  extended  procedures  would  require 
rather  cumbersome  rules  of  inference,  making  the  presentation  of 
the  definitions  and  the  proof  of  their  consistency  a  good  deal 
more  complex.  For  an  example  of  an  axiomatic  definition  of 
systems  of  mutually  recursive  procedures  (which  are  not  allowed 
in  the  PASCAL  subset  because  of  the  requirement  of  declaration 
before  use),  the  reader  may  consult  [ Gorelick  1975]. 
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Th?  restriction  on  array  elements  as  variable  arguments  to 
procedures  is  imposed  for  reasons  that  will  be  described  in 
Chapter  6.  The  other  restrictions  on  procedure  declaration  and 
call  all  appear  in  similar  work  in  axiomatic  semantics  [Hoare 
1971a]  and  operational  models  of  axiomat ically  defined  languages 
r  lauer  1971,  Cook  1975,  Gorelick  19‘75].  The  restrictions  on 
global  variables  first  appears  in  [Lauer  1971],  and  attempts  to 
remove  the  restriction  are  described  in  [Hoare  and  Wirth  1972, 
Cock  19*^5,  Gorelick  1  975],  Hoare  and  Wirth  describe  the 
semantics  of  PASC?*.!  procedures  as  a  multiple  assianment  to  the 
variable  arguments  and  the  global  variables  changed  by  the 
procedure.  However,  as  noted  in  [Donahue  197Ub],  the  rule  of 
inference  presented  does  not  account  adequately  for  the  scope  of 
variables  in  PASCAL  (or  other  Algcl-like  languages).  Cook  [1975] 
and  Gorelick  [1975]  give  operational  semantics  to  an  "Algol 
fragment"  (essentially  the  language  used  by  Lauer  in  his  +hesis), 
in  which  they  allow  global  variable  references  in  procedures. 
However,  the  scope  of  variables  is  determined  dynamically,  as  in 
SN0B0L4,  rather  than  statically,  as  in  Algol-like  languages.  In 
our  PASCAL  subset,  we  will  simply  disallow  global  variable 
references.  However,  in  Chapter  6,  we  will  return  to  this 
restriction  and  examine  it  in  terms  of  the  mathematical  model 
needed  to  define  these  extended  procedures  consistent  with  the 
Algol  or  PASCAL  scope  rules. 

Multiple  occurrences  of  identifiers  in  the  list  of  variable 
arguments  to  a  procedure  and  the  use  of  variable  arguments  in  the 
list  of  value  arguments  are  discussed  in  [Hoare  1971a],  A 
justification  for  these  restrictions  in  terms  of  an  informal 
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interpretation  of  the  rule  of  inference  for  procedure  call  and 
the  possible  complications  caused  by  such  "ill-formed"  argument 
lists  is  presented  there  for  the  interested  reader. 

Finally,  cur  subset  does  not  allow  value  parameters  to  be  changed 
within  procedures.  Again,  this  restriction  also  appears  in  much 
of  the  literature  on  the  axiomatic  definition  of  procedures,  and 
is  imposed  because  of  the  form  of  the  rule  of  inference  for 
procedure  call  used.  However,  this  restriction  is  also 
consistent  with  the  first  PASCAL  definition  [Wirth  1971],  which 
allowed  only  van  parameters  (like  our  variable  parameters)  and 
const  parameters.  The  const  parameters  were  used  to  denote 
parameters  that  could  not  be  changed  within  the  procedure  body, 
like  -he  value  parameters  of  our  subset.  This  was  changed  in 
f Hcare  and  Wirth  1972],  however. 

u.2.6.2  Labels  and  got os 

In  cur  PASCAL  subset,  we  have  also  placed  a  number  of 
restr ic-^icns  on  the  declaration  and  use  of  labels.  Essentially, 
W'=  have  limited  labels  and  gctos  in  the  subset  to  "exit" 
transfers  of  control.  However,  these  "exits"  cannot  be  used  to 
terminate  a  procedure  or  a  function  abnormally.  This  use  of  goto 
seems  to  be  a  fairly  complex  construct  that  does  not  belong  in  a 
"subset"  language  like  the  one  being  defined  here.  In  section 
4,4,6  and  Chapter  6,  however,  we  will  discuss  the  problems 
involved  in  allowing  "escapes"  cut  of  functions  and  procedures. 

The  limitations  on  the  use  of  simple  jumps  is  again  primarily 
one  of  convenience.  I+  is  possible  to  give  both  axiomatic  [see 
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Clint  and  Hoare  1973,  Knuth  1974]  and  mathematical  [see  Scott  and 
Strachey  1972]  definitions  of  blocks  using  arbitrarily  complex 
seauences  of  simple  jumps.  However,  in  both  cases,  the 
definitions  are  substantially  more  cumbersome  than  that  of  the 
”»xi‘^.'*  jumps  defined  in  the  PASCAL  subset.  Also,  unlike  the 
wide-spread  aspersions  cast  upon  unrestricted  use  of  the  goto, 
these  "escape"  or  "exit"  gotos  have  evoked  considerable  interest 
of  late  as  possibly  useful  constructs  (see  [Knuth  19741).  Thus, 
we  included  only  simple  jumps  in  our  language. 

ti,3  Abstract  syntax  of  the  PASCAL  subsej: 

The  formal  semantic  descriptions  will  be  given  in  terms  of 
•^he  syntactic  categories  of  the  language,  as  was  the  informal 
semantic  description.  To  reduce  the  number  of  syntactic  clauses 
for  which  a  semantic  description  is  necessary,  we  will  use  an 
§:bstract  s_yntax  for  PASCAL,  in  which  the  various  rules  of  the 
previous  syn-^ax  used  for  disambiauation  and  informal  semantic 
description  ere  removed.  The  abstract  syntax  of  th^^  PASCAL 
s ubse t  is  the  following . 

<id=ntifier>  : :=  <letter>  {l€tter>  |  <digit>} 

<variable>  ::=  <identifier> 

)  <identifier>  [ <express ion> ] 

<expression>  : :=  <vcriable> 

I  <ident if ier>  (  <value  list>  ) 

I  <'constant> 

I  <unary  cp6ratcr>  <GxprGssion> 

I  <exprGssion>  <binary  operator>  <expr essi on> 

1  eof 

<value  list>  : ;=  <empty> 

I  <veiue>  {,<value>} 

<value>  : :=  <identifiGr> 

I  <expressicn> 
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<unary  operatcr>  | 

<binary  operator>  ::=  +  |  -  |  >«'  |  diy  |  mod  I  &  I  1 

|  =  |#|<|<|>|> 

<procedure  or  functior.  block>  :  :  = 

<procedure  or  function  heading> 

<variabl6  block> 

<procedure  or  function  heading>  ::= 

procedure  <idGntifier>  (<identifi0r  list> : <ident if ie r  list> 
I  function  <identifier>  (<id€ntifier  list>) 

<identifier  list>  :  :=  <eiDpty> 

1  <identifier>  <ider.tif ier>} 

<variable  block>  ::=  yar  <id€ntifier  list>; 

array  <identifier  list>; 

<label  block> 

I  yar  <ider.tifier  list>; 

<label  block> 

I  <identifier  list>; 

<label  block> 

I  <label  blcck> 

<labGl  block>  ::=  label  <ider. t if iGr>  :  <statement>; 

<label  block> 

I  <procedurG  block> 

<prccedure  block>  ::=  Cprocedure  or  function  block>  | 

<procedur0  block>  ! 

I  begin  <£tatem9nt>  end 

<statem€nt>  : :=  <variable>  :=  <€xpressicn> 

I  <i den tif ier> (<identif ier  list>  ;  <valuG  list>) 

I  3.Q.I2  <idGr.tif iGr> 

I  null 

I  read  <variable> 

I  write  <expres£ion> 

I  if  <exprG£sion>  then  <statemGnt>  else 
<statement>  fi 

I  while  <exprG£sion>  do  <statGment>  gd 
I  for  <idGntifier>  ;=  <exprGSsion>  to  <€xpression> 
do  <statement>  gd 
I  <statGmGnt>  ;  <statement> 

I  begin  <statement>  end 

<program>  ::=  £rggram  <id ent ifiGr>;  <variable  block>. 
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^ ^  semantics  of  the  se t 
4,4.1  Introduction 

The  purpose  of  the  mathematical  semantics  given  below  is  to 
describe  the  function  defined  by  each  of  the  constructs  in  the 
language.  To  describe  this  function,  it  is  first  necessary  to 
specify  the  domains  used  in  the  definition  and  then  to  give  the 
various  clauses  of  the  meaning  function  for  each  of  the  clauses 
of  the  abstract  syntax  oiven  above. 

with  -^he  formal  specification  of  the  semantics,  we  will  also 
provide  an  informal  "operational"  interpretation  of  the  clauses 
of  the  definition.  This  will  involve  a  certain  abuse  of  -^he 
language  to  talk  about  the  "execution  of  a  statement"  or  the 
"‘^valuation  of  an  expression,"  Strictly  speaking,  we  are  giving 
a  functional  meaning  to  the  language,  with  no  sense  of  action  or 
time  s<=‘guence  present.  However,  we  believe  that  for  readers 
unfamiliar  with  mathematical  semantics,  this  informal 
interpretation  may  make  the  definition  more  readable  and 
understandable . 

One  final  point  needs  to  be  made  about  the  definition  to 
follow.  The  semantic  eguations  given  below  are  intended  to  give 
a  maximal  semantics  for  the  F^^.SCAL  subset  in  the  following  sense, 
Although  it  is  recoanized  that  any  implementation  of  the  language 
may  Impose  limitations  on  such  things  as  the  size  of  integers, 
number  of  array  elements,  or  lenath  of  computation,  no  such 
restrictions  will  appear  in  the  semantic  description  presented 
below.  Thus  the  description  below  gives  the  value  of  the  output 
of  a  program  that  must  be  produced  by  every  implementation 
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provided  that  the  implementation  does  not  produce  an  error 
message  stating  a  certain  restriction  has  been  violated.  Such 
error  messaqes  are  outside  the  scope  of  this  definition. 


ti.4.2  The  domains  of  the  definition 

The  domains  (domains  is  used  in  the  sense  defined  in  Chapter 
3)  used  in  the  definition  can  be  divided  into  two  categories: 

1.  the  syntactic  domains  used  to  define  the  abstract 
syntactic  structure  of  the  language.  Essentially,  these 
domains  correspond  to  the  abstract  syntax  categories 
defined  above,  and 

2,  the  semantic  domains  describing  the  underlying  values 
manipulated  by  the  constructs  of  the  language. 


u. u.  2. 1  Syntactic  domains 


Id 

N  =  ...,  “1,  C,  1,  ... 

Var  =  Id  +  [Id  x  Exp] 

Exp  =  T 
*  N 
+  Var 
+  eof 

+  [Id  X  Varg*] 

[Uop  X  Exp] 

+  [Ecp  X  Exp  X  Exp] 
Varg  =  Id  +  Exp 
Uop  =  {+,  -  ,-.] 

Pop  =  {+,-,* ,diy  , mod  ,&, I  ,= 


identifiers 
truth  value  names 
numerals 
variables 


the  end-cf-file  indicate 
function  desiqnators 
unary  operations 
binary  operations 
value  arguments 

^, <,<,>,>] 


Stmt 


=  null 

*  [ £CtO  X  Id] 

+  [Var  X  Exp] 

+  [ read  x  Var] 

[  vEit e  X  Exp] 

+  [Id  X  Id*  X  Varg*] 

+  [Exp  X  Stmt  X  Stmt] 

+  [Exp  X  Stmt] 

+  [ Id  X  Exp  X  Exp  X  Stm 

+  [ Stmt  X  Stmt ] 

+  [ begin  x  Stmt  x  end] 


empty  statement 
goto 

assignment 

read 

write 

procedure  designators 
conditional  statements 
while  statements 

for  statements 
statement  sequences 
compound  statements 
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Vblock  =  [la*  X  Id*  X  Iblock] 

Vblock  is  a  variable  block,  composed  of 
the  declaration  of  identifiers  as 
variables  or  arrays,  followed  by  a  label 
declaration  block. 


Lblock  =  [[Id  X  Stmt]  x  Lblock] 

Fblcck 

Iblcck  is  a  label  block,  composed  of  a 
procedure  block  or  a  label  declaration 
followed  by  a  label  declaration  block. 


Pblock  =  [[Id  X  Id*  x  Id*  x  Vblock]  x  Fblock] 
+  [[Id  X  Id*  X  Vblock]  x  Fblock] 

+  [begin  x  Stmt  x  end] 


Fblcck  is  the  syntactic  category  of 
procedure  blocks.  As  defined  earlier, 
procedure  blocks  are  either  a  procedure 
or  function  declaration  (the 
Id  X  Id*  X  Id*  X  Vblock  or 
Id  X  Id*  X  Vblock  components)  followed 
by  a  procedure  block,  or  else  a  compound 
statement , 


Frog  =  Id  X  Vblock 


programs 


4.U.2.2  Semantic  domains 


Int 

Ecol 

Udef  =  (u) 


the  (infinite  set  of)  i 
Eooleans 
undefined 


We  will  use  the  undefined  value  (which 
is  distinct  from  b)  as  the  initial  value 
of  variables  and  arrays. 


Val  =  Int  +  Bool  Udef  values 

Eunc  =  Arg*  •>  Val  func+ions 

Functions  take  a  seguence  of  value 
arguments  (which  may  either  be  simple 
values  or  arrays)  and  produce  a  single 
value  (no  sid®-effects  are  allowed) , 

Arg  =  Val  [Int  ->  Val]  arguments 

Free  =  Id*  ->  [Arc*  ->  [C  ->  [S  ->  Val*]]] 

procedures 


Procedures  take  both  variable  and  value 
arguments  and  produce  an  outpu+  file 


ntegers 
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relative  to  a  continuation  and  state 
(since  function  and  procedure  bindings 
are  determined  statically,  no 
environment  is  necessary) . 

Lab  =  C  labels 

Labels  represent  simple  state 
transformations.  They  inherit  their 
environment  and  continuation  from  the 
procedure  block  in  which  they  are 
declared. 

C  =  S  ->  Val*  continuations 

Continuations  represent  "the  remainder 
of  the  computation  to  be  performed  by 
the  program.  '•  They  produce  the  final 
value  of  the  output  file  relative  to  the 
current  state. 


S  =  [Id  ->  fval  +  [Int  ->  Val]]]  x  Val*  x  Val=<' 

states 

States  have  the  values  of  each  of  the 
program  variables  (both  simple  variables 
and  arrays) ,  and  the  current  values  of 
the  input  ^nd  output  files  (the  second 
and  third  components). 

Lnv  =  Id  ->  [Func  +  Proc  +  Lab]  environments 

Environments  have  the  values  of  all  the 
currently  accessible  labels,  functions, 
and  procedures. 


func 

i.ipn  s 

Exp  ->  [ 

Zn v  - 

>  r 

S  ->  Val ] ] 

w  a : 

Varg  -> 

[  Env 

-> 

[3  ->  ;\rg]] 

Ms : 

r  Pblcck 

+  Vblock 

Lblock]  -> 

[  Env 

->  [C  ->  [S  -> 

Val’* 

'111 

The  mean 

ing 

cf 

a  procedure 

bloc> 

c,  or 

variable 

block 

r  0 

r  label  block 

is 

the 

output 

file 

pr 

oduced  relati 

ve 

:c  a 

part icula 

r  en 

vir 

onment,  cont 

inual 

:icn , 

and  state 

• 

Mp: 

Prog  -> 

[  Val* 

-> 

Val*] 

Programs 

take 

an 

input  file  an 

d  prc 

)duce 

an  output 

file 

• 
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U.4,  4 


An  informal  overview  of  the  mathematical  definition 


The  purpose  of  this  section  is  twofold.  First,  it  provides  a 
brief  respite  from  the  avalanche  of  formalism  in  the  preceding 
and  following  sections.  More  importantly,  however,  having 
presented  the  domain  structure  that  will  be  used  to  define  the 
PASCA.I  subset,  we  can  provide  a  better  intuition  about  the 
meaning  that  will  be  given  to  the  constructs  of  the  lanauage. 

The  significance  of  the  definitions  is  embedded  in  the 
definitions  of  environment,  state,  and  continuation.  As  was 
stated  above,  “^he  environment  domain  is  used  to  provide  the 
meanings  of  all  of  -^.he  currently  accessible  labels,  functions, 
and  procedures.  The  important  point  about  this  information  is 
that,  for  the  PASCAL  subset,  it  is  all  determined  statically, 
i,e,  from  the  program  text.  This  is  in  contrast  with  the  values 
of  program  variables,  which  are  determined  dynamically  by  the 
execution  of  the  program.  Thus  we  consider  the  declaration 
environment  a  separate  component  of  the  meaning  of  constructs  and 
isolate  i-^,  as  a  basic  domain  of  the  definition. 

In  our  model,  the  environment  and  the  first  component  of  the 
s-^ate  are  similar,  in  that  they  each  map  identifiers  to  objects. 
In  the  Sco-^t/Strachey  "standard  semantics"  (for  examples,  see 
[Tennent  1973a,  Miln‘=  1974]),  the  environment  would  be  extended 
•^-c  include  a  domain  of  "locations"  (i.  e,  ,  would  be  a  map  of  type 

Id  ->  Loc  +  .  . . )  , 

and  the  state  would  be  a  "machine  store"  of  type 

Loc  ->  Val 
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(perhaps  with  extra  components  for  input/output) .  The  simpler 
alternative  of  a  "program  state"  mapping  the  program  variables  to 
their  values  was  chosen  for  the  following  reasons: 

1,  The  concept  of  a  location  is  a  particularly  "low-level" 
notion  and  seems  anachronistic  in  the  description  of  a 
supposedly  "high-level"  language  like  FASCi^L.  Thus  it 
was  decided  to  try  to  define  the  PASCAL  subset  directly 
in  terms  of  the  values  of  the  program  variables  without 
resorting  to  such  a  "machine-oriented"  semantic 
description. 

2.  In  the  axiomatic  approach  to  semantics  used  in  section 
4.5,  locations  do  not  appear  (either  explicitly  or 
implicitly)  in  the  definitions.  Although  we  could  have 
extended  the  axiomatic  definitions  to  include  locations 
in  the  rules  of  inference  (essentially  by  placing 
gualif ications  on  applications  of  the  rules),  it  seemed 
more  reasonable  to  remove  them  from  the  mathematical 
definition. 

Using  this  "program  state"  rather  than  "machine  store"  notion 
of  semantics  has  a  subtle  effect  on  the  definitions,  which  should 
be  noted.  In  the  definitions  below,  variable  declarations  will 
be  treated  differently  from  o-^her  declarations.  Procedure, 
function,  and  label  declarations  all  change  the  environment, 
while  variable  declarations  do  not.  However,  such  an  asymmetric 
■treatment  of  variable  declaration  also  appears  in  the  "standard 
semantics,"  in  which  variable  declarations  not  only  alter  the 
environment,  but  also  change  the  store  by  "allocating"  a  "new" 
location  for  the  variable  (for  an  example,  see  [Tennent  1973a]). 
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One  might  ask  at:  this  point  whether  the  environm^^nt  and  state 
could  not  !<=  coalesced  into  a  single  domain.  If  this  were  done, 
the  semantic  function  FJs  would  have  functionality 

j'stCrblock  +  Vblock  +  Lblock  ]  ->  [Env’  ->  [C  ->  Val*]] 
where  Env*  is  of  type 

Id  ->  [Val  +  Proc'  +  Lab'  +  Func]. 

This  is  in  fact  possible,  but  was  rejected  for  the  fcllowing 
reasons: 

1.  To  define  variable  parameters  or  input/output  would 
reauire  -^ha-^.  procedures  take  as  an  argument  the  current 
environment,  along  with  having  access  to  the  environment 
active  at  the  time  of  procedur<=  declaration.  Because 
this  current  environment  would  have  as  components  the 
current  function,  procedure,  and  label  bindings,  this 
would  suagest  that  procedure  activation  made  the 
caller's  procedure,  function,  and  label  bindings 
available  to  the  called  procedure,  thus  obscuring  the 
notion  of  scope  of  names  in  PASC?^L. 

2.  The  existenc*^  of  the  "pun"  in  PASCAL,  where  within  a 
function  an  identifier  car  refer  to  both  a  function  and 
a  variable  [Wirth  1973a j  is  easily  handled  by  using  a 
separate  environment  and  state.  Were  they  to  be 
coalesced,  environments  would  have  to  be  of  the  form 

Env  =  Id  ->  [Proc  Lab  +  [Func  x  Val]  +  Val], 
making  the  defini+:ions  of  almost  all  of  -^he  constructs 
more  complex.  Note,  however,  that  to  guarantee  that  the 
meaning  functions  disallow  multiple  declarations  of  an 
identifier  in  cas<=s  where  such  usage  is  disallowed  in 
PASCAL,  the  definitions  of  declarations  will  be  made 
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slightly  more  complex  to  make  certain  that  if  an 
identifier  refers  to  a  proper  value  in  the  state,  then 
it  does  not  also  refer  to  a  proper  value  in  the 
environment  (except,  of  course,  for  the  use  of  an 
identifier  as  both  function  name  and  variable) .  But 
this  complexity  will  only  occur  in  the  semantics  of 
declarations,  rather  than  requiring  extra  cases  in  the 
definition  of  each  statement  or  expression. 

The  last  remaining  domain  to  be  discussed  is  the  domain  C  of 
continuations.'  P.  full  discussion  of  the  ideas  behind 
continuations  and  their  use  in  defining  more  complex  constructs 
than  those  found  in  the  PASCAL  subset  can  be  found  in  [ Strachey 
and  Wadsworth  1974,  Donahue  1974a].  Essentially,  th^ 
continuation  arguments  for  each  clause  in  the  definitions  below 
r'^present  the  meaning  of  the  remainder  of  the  program,  i.e.,  its 
associated  state  transformation.  The  reason  the  continuation  has 
functionality  S  ->  Val*  is  that  we  have  defined  the  result  of  the 
program  to  be  the  output  file  (a  member  of  Val*)  produced.  The 
importance  of  using  a.  continuation  as  an  extra  argument  to  the 
meaning  functions  is  that  "transfers  of  control"  can  be  defined 
by: 

1.  applying  the  continuation  to  a  state  to  define  the 

meaning  of  "executing  the  next  statement  in  the 

program",  or 

2.  ignoring  the  "normal"  continuation  and  applying  a 
different  one  (in  particular,  using  the  value  cf  a  label 
in  the  current  environment) .  This  technique  is  used  to 
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define  the  meaning  of  goto  statements  in  the  PA.SCAL 
subset , 

U,U.5  Clauses  of  the  definition 

In  the  d<=f  ini-*:  ions  belov,  the  following  notaticnal 

conventions  will  be  followed. 


1 . 

Applications 

of 

functions  to 

element  s 

of  syntactic 

domains  will 

be 

written  using 

f  and  > 

for  clarity. 

Also,  arbitrary  elements  of  syntactic  domains  will  b^ 
written  usino  *he  name  of  the  domain  berrinning  with  a 
lower  case,  rather  than  an  upper  case,  letter,  e.g., 
pblock,  vblock,  exp. 

2.  Subsidiary  definitions  will  be  in-^.roduced  usinq  let  or 
where  expressions.  The  expression 

let  X  =  a  d,n  body 

and 

body  where  x  =  a 
are  both  defined  as 

(f  unc  (x)  :  body)  (a). 

Multiple  definitions  within  the  same  let  or  where  will 
be  given  by  separating  the  definitions  by  semi-colons, 

i.  e.  , 

let  V 1  =  a  1 ; 
v2  =  a2; 

• 

V  n  =  an 
in  body 

is  defined  as 

(func  (v1,v2,...,vn)  :bcdy)  (a1,a2,...,an). 
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And,  if  the  body  of  the  let  or  where  expression  is  to  be 
call- by- value  on  any  of  its  arguments,  the  body  of  the 
let  or  where  will  be  preceded  by  a  list  of  call- by-value 
parameters,  i.e., 

(value  v) :  body  where  v  =  a 
is  defined  as  the  call-by-value  restriction  of 

f  unc  (v)  ;  body 

applied  to  a. 

3.  The  state  components,  i.e.,  the  input  and  output  files 
and  the  variable  to  value  component,  will  be  denoted  as 
follows : 

a.  sv  for  s{1}  (the  variable  component), 

b.  si  for  s{2}  (the  input  file  component),  and 

c.  so  for  s  (3)  (the  output  file  component)  . 

4.  Finally,  if  s  is  a  state,  then  s[  x  <-  v]  is  defined  as 

s[  X  <-  v]  =  (svf  X  <-  v],  si,  so). 

This  convention  will  allow  us  to  simplify  the 
definitions  by  not  repeating  the  input  and  output  files 
in  the  many  cases  below  in  which  they  are  not  changed. 

Finally,  we  will  extend  the  definitions  of  Ka,  Me,  and 

replacement  to  allow  lists  of  arguments  as  follows; 

Ma^varq*>  (e ; s)  = 

varg*  is  Vargo  ^h^t  nil 

prefix  (Ma<hd  (varq*r>  (e;  s)  ,  Ma-f tl  (varg*)  >  (e ;  s) ) 

Mei:exp*>  (e;s)  = 

if  exp*  is  Fxpo  then  nil 

®lse  pr ef  ix  (Me^hd  (exp*)  (e ;  s)  ,  Meftl  (exp*)  (e;  s)  ) 

f [ X*  <-  V* ]  = 

if  X*  is  nil  then 

if  V*  is  nil  then  f  else  t 
flse"  (fC  hd  (X*)  <-  hd  (v”^)  M  tl(x*)  <-  tl(v*)] 
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This  will  allow  us  to  present  the  clauses  of  the  definitions  for 
functions  and  procedures,  which  involve  lists  of  arquments  and 
parameters,  without  introducing  any  new  notation.  It  will  be 
clear  from  th^  context  whether  lists  or  single  arguments  are 
being  applied  in  the  definitions  below,  so  no  confusion  should 
result. 


4.4.5.  1 


Mefn>(e;s)  =  Intfn> 

In^  is  the  function  that  takes  any  numeral 
into  its  associated  inteaer  value 


Mei:t>(e;s)  =  lcoli:t> 

!2ocl  is  the  function  that  takes  any  truth 
value  r.amp  into  its  associated  Boolean  value. 


^ffid>(e;s)  = 

if  svfid>  is  Val  thfn 

if  svfid>  is  Udef  Ihen  t  else  sv^id> 
else  t 

If  the  identifier  is  a  simple  variable,  give 
its  value;  otherwise  *he  program  is 
erroneous. 


Mefidr  exp  ]>  (e; s)  = 

if  svfid>  is  Int->Val  th^n 
ler  V  =  Mei:exp>  (e  ;  s)  to  Int 

in  V)  :  if  sv<id>(v)  is  Udef  nhen  t  elsf  sv-^id^  (v) 

els=  _t 

If  the  Identifier  is  an  array,  *hen  return 
the  value  of  the  selected  component; 
otherwise  the  program  is  erroneous. 


^efid  ( vara’*')  >  (e  ;  s)  = 

if  e<id>  is  Func  then 

let  a  =  jjaf var o’*'>  (e  ;  s) 
in  (vnini  9)  •  ef  id>  (a) 
else  t 
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If  the  identifier  denotes  a  defined  function, 
+hGn  apply  the  function  to  the  values  of  the 
arguments. 


Mffuop  exp>(€;s)  =  On  cp<(uop>  ( Me<Gyp>(e  ;  s)  ) 

Dnop  is  of  type 

Uop  ->  [ Vc 1  ->  Val ] 

and  produces  the  operation  associated  with 
each  unary  operator.  We  assume  these 
operations  are  doubly  strict  on  their 
argument  and  -f-ha-^  application  of  an  operator 
to  a  value  of  the  wrong  type  produces  t. 


Mef<=xp1  bop  exp2>(e;s)  = 

Einop^bopXMei^exo  (e  ;s)  ,  i:<^xp2^>  (e ;  s)  ) 

Einop  is  of  typ<= 

Bop  ->  [Val  X  Val]  ->  Val 
and  produces  the  operation  associated  with 
each  binary  cperatcr.  We  assume  all  binary 
operators  are  call-by-value  on  their 
arauments  and  that  application  of  an  operator 
to  a  value  of  the  wrong  type  produces 


Me<eof>(e;s)  =  si  is  Vaio 

ecf  is  tru‘=  if  the  input  file  is  empty,  and 
false  otherwise. 


4 . 4, f , 2  Value  arguments 


Mafid>(e;s)  =  svfid> 

na<exp>(e;s)  =  ?1efexp>  (e  ;  s) 

-A  separate  function  Ifa  is  used  to  evaluate 
value  arguments  -^o  functions  and  procedures 
to  allow  array  values  to  be  passed  as  value 
arguments.  Pemember  that  Me  produces  a 
single  scalar  as  a  value  in  all  cases.  We 
allcw  Ma  to  produce  either  a  scalar  (the 
second  clause  of  “^he  definiticn)  or  the  value 
of  a  pregram  variable  (the  first  clause  of 
the  definition) ,  which  may  be  either  a  scalar 
or  an  entire  array. 
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4.4. 5, 3  Statements 


To  guarantee  that  the  functions  and  procedures  satisfy  the 
restrictions  imposed  in  the  informal  definition,  we  will  make  use 
of  the  following  syntactic  predicates: 

1.  Distinct : Id*  ->  Pool  is  call-by-value  on  its  argument 
and  is  true  iff  all  cf  the  components  of  its  argument 
are  distinct  identifiers,  and  false  otherwise. 

2.  AssignsTc : [ Pblcck  x  Id*]  ->  Bool  is  call-by-value  on  its 
arguments  and  produces  true  iff  Pblock  contains  no  free 
occurrences  cf  any  cf  the  Id*  as  the  variables  on  the 
left-hand  side  cf  assignment  statements  or  as  variable 
arguments  in  procedure  calls. 

3.  NctIn:[Varg*  x  Id*]  ->  Bool  is  call-by- va lue  on  its 
arguments  and  has  the  value  true  iff  Varg*  contains  no 
occurrences  cf  any  of  the  identifiers  in  Id*,  and  is 
false  otherwise. 


Msfid  :=  exp>  (e;c;s)  = 
l^t  V  =  He<exp>(e;s) 

in  (value  v)  :  ^f  sv'i:id>  is  Val  then  c(s[id  <-  v  ])  else  t 

If  the  value  of  the  expression  is  net 
undefined  or  erroneous,  and  the  identifier 
refers  to  a  simple  variable  which  has  been 
declared  (i.e, ^  is  not  t)  ^  replace  the  cld 
value  cf  the  variable  with  the  value  of  the 
e  xpr essi on . 


Msi:id[exp1]  :=  exp2>(e;c;s)  = 
let  v1  =  Mef exp  1 >  (e ; s)  to  Int; 

v2  =  Me<exp2>  (e ; s) 

IL  (v^li2s  , v2)  : 

if  svfidlh  is  Inl2>Val  then  c(s[id(v1)  <-  v2  ])  else 


M sfnullh  (e ; c; s)  =  c  (s) 


Continue  with  the  rest  cf  the  program. 


Msfread  id>(e;c;s)  = 
if  si  is  Vaio  then  t 
else 

if  svi:id>  is  Val 

then  c((svrid  <-  hd(si)]/  tl(si),  so))  else  t 

end 

Tf  the  input  is  not  exhausted  or  erroneous 
(i.e.,  the  read  does  not  occur  from  within  a 
function  call),  assign  the  first  component  to 
the  variable  and  shorten  the  input  file. 


Ks4:read  id[exp  ]>  (e;c;s)  = 
if  si  is  Vaio  then  t 


else 

1st  V  =  Me^exp>(e;s)  to  Tnt 
Ll  (ZllUf.  V)  :  begin 
if  svfid^  is  Int r>Val 

then  c((sv[id(vf  <-  hd(si)]. 


end 


tl  (si)  , 


so) )  else  t 


f3§i^ii£i;te  exp>(e;c;s)  = 
iPt  V  =  Mei:exp>  (e ; s) 

in  (Yninf  V)  :  if  so  is  Val*  then  c  ( (sv, si, append (sc ,v) )  else 

If  the  output  file  is  not  undefined  or 
erroneous  (i.e.,  the  write  statement  did 
not  occur  during  evaulation  of  a 
function  reference) ,  append  the  value  of 
the  expression  to  the  output  file. 


Hs<3pjJ:p  id>(s;c;s)  = 

if  efid^  is  Lab  then  efid>(s)  else  t 


If  the  identifier  refers  to  a  label,  execute 
the  statement  referred  to  by  the  label.  Note 
that  the  normal  continuation  is  ignored. 


^si:id  (id*  :  varg*)  >  (e;c;  s)  = 
if  ei!id>  is  Proc  then 

if  NotIn(varg*,  id*)  ihen 
if  Distinct  (id*)  then 

let  a  =  Maf vara*>  (e ; s) 
in  (vninn  *  ei:id>(id*;a;c;s) 
else  t 
else  t 
else  t 

If  the  identifier  is  a  procedure  and  the 
argument  list  is  valid ,  evaluate  it  using  the 
supplied  arguments  and  the  current 
continuation  and  store. 
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then  stmtl  else  stmt2  fi>(e;c;s)  =  c'  (s) 
if  fje^exp>  (e;s)  to  Bool 
then  Msf stmt 1>  (e ;c) 
else  Msf stmt 2> (e ;c) 

Evaluate  the  Eoolean  expression  and  select 
the  appropriate  component, 

MS'fiiililS.  ^2  stmt  od>(e;c;s)  =  rec  c'  (s) 

=  Lt.  M‘f^xp>(e;s)  to  Bool 
then  Ks^stmt > (e ; Msf while  exp  do  stmt  od>(e;c)) 
else  c 

If  +he  Boolean  expressicn  is  false,  go  to  the 
next  statement  (apply  the  normal 

continuation) ;  otherwise  execute  the  body  of 
the  while  using  the  meaning  of  the  whils  as 
the  continuation  to  be  used  after  terminating 
execution  of  the  body. 


Msfif  exp 
where  c '  = 


Msffor  id  :=  exp1  to  exp2  do  stm-^  pd>(e;c;s)  = 
let  v1  =  Mefexp1> (e ;s)  to  Int; 

v2  =  Mef  exp2>  (e  ;  s)  to  ^nt 
in 

(value  v1,v2)  :  bsgin  i-*:er ate  (sf  id  <-  v1  ]) 
where 

rec  func  iterate  (S  si): 
beain 

if  s1fv>  >  v2  then  c(s1[id  <-  u  ]) 
else 

Msf  stmt>  (e  ;  c"  :s  1) 

c”  =  func  (s2)  riterate  (s2[id<-s2vf  id>+ 1  ]) 

end 

end 

Iterate  checks  to  see  if  the  current  value  of 
the  control  variable  is  greater  than  the 
final  value.  If  so,  it  applies  the  normal 
continuation  (after  first  making  the  control 
variable  undefined),  Otherwise,  it  executes 
the  body  of  the  loop,  increments  the  control 
variable  (the  first  part  of  the  continuation) 
and  does  another  iteration.  The  process 
begins  by  assigning  the  initial  value  to  the 
control  variable  (only  if  both  the  initial 
and  final  values  are  defined) . 


Wsfstmtl;  stmt2>  (e  ;c; s)  = 

Msfstmt1>  (e; Msfstmt 2>  (e;c)  ;s) 
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Stmt  end>  =  Msfstmt> 


€nd  have  nc  semantic  effect. 


Hsf:ErocedTire  id(idl*  :  id  2=^)  v  block ;  pblock>  (e;  c;  s)  = 
if  Nctln(id1*,  id2’<‘)  then 
if  ristinct  (id  1*)  then 
if  Distinct  (id2*)  then 

if  AssignsTo (vblock ,id2*)  then  t 
else  Msi;pblock>  (ef  id  <-  P  ] ;  c;  s[  id  <-  t  ]) 
else  t 
else  t 
else  * 

func  p  (Id*  x;  Arg*  y;  C  cp;  S  sp)  : 

Ms< vblock> (e ' [ i d  <-  p];cp';sp') 
where 

e'  =  func  (Id  i)  :  if  ef;i>  is  Lab  then  t  else  €<!>; 
cp'  =  fMc(sl):  cp((spv[x  <-  s1vi:id1*>],  sli,  slo)); 
sp’  =  (tfidl*  <-  spfx>;  id2*  <-  y],spi,spo) 

end 

The  meaning  of  a  procedure  declaration  is  to 
bind  the  procedure  identifier  to  the 
procedure  value  denoted  by  the  procedure  body 
(this  is  the  function  p  in  the  definition) . 

The  following  points  are  of  importance  in 
understanding  this  definition: 

1.  The  variable  parameters  are  interpreted 
using  a  call-by-value/result  mechanism.  The 
values  of  the  variables  are  copied  into  the 
state  used  by  the  procedure  body,  and  the 
continuation  restores  the  values  of  the 
parameters  in  the  state  to  be  returned  as  the 
value  of  a  procedure  call, 

2.  t  is  used  as  the  initial  state  to 
disallow  references  tc  non-local  variables 
from  within  the  procedure  body. 

3.  Within  the  procedure,  the  procedure  name 
is  recursively  bound  to  p  to  handle  recursive 
use  of  the  procedure  in  a  straightforward 
manner. 

4.  The  'environment  inherited  by  the 
procedure  body  is  restricted  so  that  all 
labels  global  to  the  procedure  become 
undefined. 
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iMirs 
In  1(0 


(id*)  ;  vblock;  pblock>(e ; c ;  s)  = 
if  Distinct  (id*)  then 

if  AssignsTo  (vblock , id*)  then  t 
®l§i  fls<pblock>  (e[  id  <-  f');c;s[id  <-  t  ]) 
else  t 

122  f2il2  ^  (£-13*  X)  : 

begin  Msfvblock^ (s; c' ;3' ) 

wll222  C  =  func(s''):  s"V“f:id>; 

s'  =  (t[id*  <-  x;  id  <-  u],  t,  t) 

end 

Funcrion  declarations  are  similar  to 
procedure  declarations,  except  that: 

1.  Input/output  is  rot  allowed,  so  the 
second  and  third  components  of  the  state  are 
set  +o  t  (which  is  checked  for  by  the  read 
and  write  statem^^nts)  ,  and 

2.  The  variable  named  by  the  function 
identifier  is  set  to  u. 

3.  The  continuation  is  used  to  return  the 
value  of  the  function  by  returning  the  value 
of  the  function  identifier  in  the  final  state 
produced , 


Msfvar  idl*;  arra^  id2*;  lblcck>  (e ; c; s)  = 

Ws<lblock>  (e * ;c' ; s ' ) 
where 

c'  =  func(sl)  :  c  (s U  id  1*<-sv<|:id1  *> ;  id2*<-svf id2*>  1) 
s'  =  s[id1*  <“  u;  id2*  <-  f  332  (Int  i):u]; 
e'  =  e[id1*  <-  t;  id  2*  <-  t] 

Variable  declara-^ ions  change  the  values  cf 
the  associated  identifiers  frcm  their 
previous  values  to  u  in  the  state  (they  are 
undefined,  but  now  assignments  can  be  made  to 
them).  Also,  the  previous  values  of  the 
variables  are  retained  in  the  cent inua tier., 
to  be  restored  after  the  Iblock  terminates. 


flabel  id:  stmt;  lblock>  (e ; c ; s)  = 
c '  =  Msf St mt>  (e ;c) 

Msflblock>  («=[  id  <-  c'];c;s[id  <-  t  ]) 

label  declarations  place  new  label  values  in 
the  environment. 
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U,4. 5,4  Progranis 

I![£l^££C3ranj  id;  vblcck.>(v*)  = 

ocedure  id;  vblock;  begin  id  end> 

7<?-init;  (s)  :  so;  (t,  v*,  nil  in  Val’*')  ) 

Programs  take  an  input  file  and  produce  an 
output  file  relative  to  an  implementation- 
defined  initial  environment  and  the 
continuation  which  simply  selects  the  output 
component  of  the  final  state.  Here  nil  is 
used  to  denote  the  empty  output  file  (Vaio)  , 
t  is  used  as  the  first  component  of  the  state 
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2.  to  serve  as  a  ’’stack"  to  save  previous  values  of  program 
variables  and  to  restore  these  values  afrer  execution  of 
a  variable  block  cr  procedure  call. 

Obviously,  this  use  of  the  continuation  as  a  stack  is  valid  only 
if  we  auaran-t-ee  that  the  evaluation  of  procedures  and  variable 
blocks  always  either  produces  undefin<=“d  or  erroneous  results  or 
else  produces  final  values  by  applications  of  the  normal 
continuation  to  some  ’’final  state,’’  Otherwise,  the  values  of  the 
program  variables  could  be  such  that  some  unexpected  results,  not 
corresponding  to  our  intuition,  might  be  produced.  In  this 
section,  we  will  argue  that  the  definitions  given  above 
explicitly  disallow  such  surprises. 
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It  is  clear  that  if  all  variable  blocks  are  evaluated  using 
environments  such  that: 

1,  no  labels  are  defined  in  the  environment,  and 

2*  ell  procedures  that  are  defined  in  the  environment 
either  fail  (produce  t  or  b)  or  produce  a  value  by 
applying  the  continuation  given  in  each  procedure  call 
to  some  final  state, 

then  the  variable  block  either  fails  or  produces  a  resul*  by 
applying  its  normal  continuation.  If  this  is  true,  th=n  in  all 
such  cases  we  can  be  assured  that  the  program  variables  will  re¬ 
take  on  unexpected  values.  We  notice,  however,  that  variable 
blocks  can  only  occur: 

1.  as  the  body  of  a  procedure  or  function  in  a  procedure  or 
function  d<=clara  tion  ,  or 

2.  as  -^he  body  of  a  program. 

And,  in  both  cases  the  semantics  of  procedures  and  functions 
guarantees  that  the  body  of  the  procedure  or  function  or  program 
will  be  evaluated  in  an  environment  in  which  no  labels  are 
defined.  Thus,  if  we  assume  that  all  procedures  defined  in  the 
environment  produce  a  proper  result  by  applying  +-he  continuation 
provided  in  each  procedure  call,  then  we  have  that  all  variablf^ 
blocks  work  properly. 

But,  since  all  variable  blocks  form  the  body  of  procedures, 
•^his  also  guarantees  that  if  all  procedure  values  in  an 
environment  are  as  above,  then  the  environment  produced  by  adding 
a  new  procedure  value  has  the  property  that  all  procedure  values 
in  the  ex+ended  environment  work  properly.  Finally,  if  we  assume 
that  in  the  initial  environment  e-init  all  procedure  values  that 
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are  defined  always  produce  a  proper  value  by  applying  the  normal 
continuation,  then  we  immediately  have  that  for  all  PASCAL  subset 
programs  the  meaning  function  Mp  restores  the  values  of  program 
variables  consistent  with  our  intuition, 

Nct“  that  our  ability  ro  argue  that  this  use  of  continuations 
produces  proper  results  depends  on  the  fact  that  label  values  are 
net  inherited  across  procedure  boundaries.  This  suggests  that 
cur  model  used  to  give  the  mathematical  semantics  of  cur  language 
is  not  "powerful"  enough  to  give  an  accurate  description  of  jumps 
cut  of  procedures.  In  Chapter  6,  we  will  return  to  this  point 
after  presenting  a  model  in  which  such  constructs  may  be 
accurately  defined. 

u . 5  Axiomatic  semantics  of  the  PASCAL  subset 
4, 5, 1  Introduction 

In  this  section,  we  will  define  the  semantics  cf  th*^  PASCAL 
subset,  using  the  axiomatic  approach  developed  by  Hoare,  in  a 
fashion  similar  to  the  example  presented  in  Chapter  2.  To  give 
an  axiomatic  definition,  we  specify: 

1.  the  statements  of  the  language,  given  by  the  abstract 
syntax  of  section  4.3, 

2.  the  set  of  logical  expressions,  or  assertions, 

3.  a  set  cf  formulas  of  the  form 

{P}  S  {Q} 

where  P  and  0  are  logical  expressions,  and  S  is  a  PASCAL 
statement,  procedure  block,  variable  block,  label  block, 
or  program.  As  stated  in  Chapter  2,  an  informal 
interpretation  of  these  formulas  is  "if  P  is  true  prior 
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to  execution  of  S  and  S  -terminates,  then  0  is  true  after 
execution  of  S,"  These  formulas  will  be  used  to  define 
the  meaning  of  the  simple  statements  of  the  language. 

U,  Buies  of  inference  of  the  form 

HI,  ...,  Hn 

B 

where  each  of  the  H*s  are  hypotheses.  Pules  of  'his 
form  will  be  used  to  describe  the  meaning  of  the 
structured  sta-tements  of  the  language  and  can  be  read  as 
"if  are  true,  then  ?  is  true."  Hypotheses  may 

be  either: 

a.  axiomatic  formulas,  or 

b,  expressions  of  the  form 

F 1 ; .  . . ; Fm  | -  F, 

where  each  of  the  F's  is  a  formula.  Hypotheses  of 
this  form  can  be  read  as  "the  truth  of  F  follows 
from  the  truth  of  F1,,..,Fm," 

4, 5. 2  Bi^ertions 
4  ,  h, 2.  1  The  assertion  language 

In  -^his  section,  we  will  define  the  syntax  of  assertions 
allowed  in  our  axiomatic  definition.  The  syntax  of  the  a  sser  tion 
language  is  completely  specified  below  for  the  following  reasons: 

1.  To  perform  the  various  structural  inductions  on 

assertions  found  in  the  next  chapter,  it  is  necessary  to 
fix  the  assertion  language  used. 

2.  *Also,  there  are  several  aspects  of  the  assertion 
language  (e.g.,  sequence  expressions,  altered  array 


-81- 


expressions,  and  the  forms  of  quantification  used)  that 
make  the  language  a  rather  substantial  modification  of 
the  more  common  first-order  predicate  calculus  for  the 
integers.  Since  we  are  using  the  language  to  prove 
properties  of  PASCAL  subset  programs,  the  language  has 
been  constructed  to  reflect  the  underlying 
characteristics  of  PASCAL, 

The  basic  units  of  assertions  are  the  Boolean  valued 

expressions  of  the  PASCAL  subset,  extended  as  follows  to  define 

i ncut /out pur  and  array  assignment, 

<extended  variabl6>  <variable> 

I  <sequence  expressior.> 

1  <alrered  array> 

I  £in 
I  Jout 

#in  and  #out  are  used  to  denote  the  current  length  of  the  input 
and  output  files. 

<seguence  expression>  ::=  <sequence  value> {<expressi on>} 

<3eguence  value>  :;=  <output  expression> 

I  <input  expression> 

<output  expression^  ::=  cut 

I  (<output  expression>  ( |  <expression> 

<input  expression>  ::=  in 

I  (<expression>  M  <input  expression>) 

Sequence  expressions  are  used  to  select  components  of  the 
seguences  representing  the  (possibly  extended)  input  and  output 
files.  Out  is  used  to  denote  the  current  value  of  the  output 
file,  in  the  current  value  of  the  input  file,  and  ||  the 
operation  of  concatenating  sequences.  The  meaning  given  to  the 
indices  is  as  follows.  The  "first”  element  of  an  output 
expression,  i.e.,  the  element  with  index  1,  is  the  left-most  i 
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element  of  the  sequence,  i.e.,  “he  first  element  written,  and  the 
elements  are  numbered  consecutively  from  "oldest"  to  "youngest." 
rcr  input  expressions,  the  "first"  element  (with  index  1)  is  th-^ 
righ-*--most  element  of  the  sequence,  i.e.,  the  last  element  of  the 
input  file,  and  the  elements  are  numbered  consecutively  from  this 
elemen*  of  the  next  element  to  be  read.  Note  that  this  indexing 
scheme  allows  us  -^c  number  from  a  fixed  point  in  the  input  and 
outpu-^  files,  so  that  reads  and  writes  do  not  affect  the  indices 
of  any  elemen+s  other  than  the  last  value  read  or  written. 

<al-^ered  array>  ::=  (<iden;-^if ier> 

r  <expressicn>  <*  <expressicn>  ]) 

[ expression  ] 

The  altered  array  syntax  is  used  to  specify  changes  to  "^he 
elements  of  an  array.  "p’or 

?[i  <-  €] 

we  will  intuitively  mean  "the  value  of  the  array  A  with  the  ith 
component  changed  to  have  the  value  e. "  The  class  of  extended 
expressions  includes  any  expression  that  can  be  formed  from  -^he 
extended  variables  defined  above  and  the  PASCA.L  subs^^t  operators 
defined  in  U.2.2.3. 

More  complex  assertions  are  built  from  these  atomic 
assertions  using  a  subset  of  th="  logical  connectives  and 
guantifiers  of  the  predica-^e  calculus. 

<assertion>  <atcmic  assertion> 

I  (<assertion>  or  <asserticn>) 

I  (<assertion>  and  <assertion>) 

I  (<assertion>  im£lies  <assertion>) 

I  not  <assertion> 

I  <quantified  assertion> 

The  form  of  guantified  assertions  we  will  use  in  the  PASCAL 
subset  definition  will  explicitly  recognize  that  we  are  dealing 
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with  finite  programs  tha-^  invoke  finite  computations  (i.e.  ,  in 

the  sense  that  all  infinite  computations  in  the  preceding 

definition  have  th^^  value  undefined.  Thus  only  bounded 

Quantification  is  allowed  in  the  assertion  language,  both  over 

sets  of  expressions  (in  the  simplest  case,  these  may  be  just 

identifiers)  and  sets  cf  integers, 

<quantified  assertion>  : :=  <quantifier> 

<expr6Ssion  set> 

<assert ion> 

I  <quantifier> 

<integer  set> 

<asserticn> 

<quantifier>  ::=  3<i der-^  if ier> 

I  V<ident if ier> 

<expression  set>  ::=  [ <e xpression>  {, <expression>}  ] 
<inteaer  set>  [ <expression>  :  <expressicn>  ] 

The  use  cf  the  expression  set  in  assertions  allows  a  simple 
short -hand  for  writing  long  coniunc+ions  or  disjunctions.  The 
formula 

Vxfexpl,.,,,  expn  ]  P 

will  !<=■  interpreted  as 

(P<expl/x>  and  (P<exp2/x>  and  (.  ,  .  and  P<expn/x>) . . . ) 
where  P<y/x>  is  the  result  of  substituting  the  expression  y  for 
the  identifier  x  in  P  (wi-^h  appropriate  renaming  of  bound 

variables  within  P  to  avoid  name  clashes).  Similarly,  t.he 
f  crmul a 

Bxf  exp  1 , ... ,  expn  ]  ^ 

will  be  interpreted  as 

(P<exp1/x>  or  (P<exp2/x>  or  (.  .  .  or  P<expn/x>)  ...)  . 

We  will  not  allow  bound  variable  to  appear  in  any  of  the 

expressions  in  the  expression  set. 
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Th-3  use  of  the  in  +  eger  set  in  quantified  assertions  is  to 
allow  specification  of  properties  of  arrays  and  the  input  and 
output  files,  in  which  components  are  selected  by  position. 
Ouant if ication  involving  integer  sets  will  be  defined  as  follows. 
The  asser-^ion 


is  defined  as 


Vx[m:n ]  P 


¥x[  iii<x<r  =>  P  ], 

where  we  do  not  allow  the  identifier  x  to  occur  in  the 
expressions  m  or  n.  The  formula 

3x[m:n]  P 


is  defined  as 


Bxf  (m<x<n)  and  P], 

aaain  where  we  do  not  allow  x  to  occur  free  in  m  or  n.  In 
Chap+=r  5,  we  will  give  a  constructive  interpretation  of  these 
formulas  as  continuous  functions. 


4. 5. 2, 2  Expressiveness  of  the  assertion  language 


tn  important  question  to  answer  before  giving  the  formulas 
and  rules  of  inference  defining  the  semantics  of  the  PfiSCA.L 
subset  is  whether  the  assertion  language  described  above  is 
powerful  enough  to  express  all  of  the  assertions  we  might  want  to 
make  about  the  ex<=cutions  of  programs  in  the  PASCAL  subset. 
Given  an  assertion  Q  in  our  assertion  language  which  expresses 
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1.  We  can  construct  a  proof  of  {P}  S  {Q} ,  as  desired. 

2.  There  is  an  assertion  P  such  that  {P}  S  {0} ,  but  we 
can't  complete  the  proof  (the  system  is  incomplete). 

3.  Finally,  the  program  is  correct,  but  we  can  not  write 
the  appropriate  pre-condition  in  the  assertion  language 
being  used.  In  this  case,  the  assertion  language  is  not 
f xprfssiye. 


We  formalize  this  notion  of  expressiveness  using  a  definition 

similar  to  that  given  in  [Cook  1975  ]. 

:  An  assertion  P  is  said  to  be  a  valid  pre-a ssertion 

for  a  statement  S  and  assertion  Q  iff  {P}  S  (Q) .  P  is  a 
pre-assertion  for  S  and  Q  iff  for  all  assertions  F 
such  that  P  is  a  valid  pre-assertion  for  S  and  Q,  R=>Q. 
Since  assertions  can  be  arbitrary  PASCAL  subset  expressions 
and  may  have  values  other  than  true  or  false  (i.e,,  may  be 
undefined  or  erroneous),  the  implication  operator  must  be 
ex-^ended  to  produce  true  when  either  R  or  P  is  neither  true 
or  false.  P  is  a  maximal  weakest  2£§i:sssertior  for  S  and  Q 
iff; 

1.  P  is  a  weakest  pre-assertion  for  S  and  Q,  and 

2.  P  is  undefined  or  error eous  only  if  S  or  0  is  undef ined 
or  erroneous  (i.e.,  P  is  at  least  as  well-defined  as  S 
or  0)  . 

Dif  init  ion :  An  assertion  language  L  is  exj^ressiye  iff  for  every 

statemen-^  S  and  post-assertion  0  in  L,  there  exists  a  maximal 
weakest  pre-assertion  P  in  L  such  that  {P}  S  {Q} . 


We  can  informally  argue  that  our  assertion  language  is 
expressive  as  follows.  The  most  important  aspect  of  the 
assertion  language  given  above  was  the  ability  to  use  arbitrary 
PASCAL  expressions,  including  Poclean- valued  functions,  in 
assertions.  To  show  that  the  language  is  expressive,  we  will 
show  hew  to  construct  a  Boolean  function 

P(x1,...,xm,  y1,..,,yn) 

such  that  P  is  true  iff  S  terminates  with  Q  true,  i.e., 

{P(x1,...,xm,  y1,...,  yn)}  S  {Q}/ 
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where  x1,...,xin  are  the  free  variables  of  S,  and  y1,...,yn  are 
any  free  variables  of  0  that  do  net  appear  in  S. 

It  should  be  clear  that  ipost  of  the  forms  of  assertions 
defined  above  can  be  mapped  direc+ly  into  PASCJ^I  func-^-ions,  with 
the  possible  exception  cf  the  part  of  the  language  that  deals 
with  inpu-^  and  output.  We  can,  however,  model  the  simple 
input /cut put  of  the  PASCAL  subset  by  using  an  array  and  an 
integer  index  to  simulate  the  input  and  output  files. 
statements,  then,  can  b‘=>  translated  to  placing  the  next  value 
from  the  input  array  into  the  associated  variable  and 
incrementing  the  index.  P  similar  action  can  be  defined  for  the 
translation  of  write  statements.  Then  we  can  easily  interpret 
•he  assertions  using  the  input/output  part  of  the  language  as 
statements  about  these  arrays. 

So,  assume  that  we  can  translate  the  assertion  Q  into  a 
PASCAL  function 

P_Q  (yif . . . ryn) 

where  y1,...,yn  are  the  free  variables  of  Q.  Now  we  can  define 

P(x1,,..,xm,  y1,...,yk) 

where  x1,.,,,xm  are  the  free  variables  of  S,  and  y1,,..,yk  are 

any  other  free  variables  cf  0  not  appearing  in  S,  as  follows: 

fj^I-cticn  P(x1,..,,xm,  y'’,...ryk); 
begin 

S; 

if  P_Q  (x1 , , , . , xi ,  y1,,,.,yk)  then 
F:=true  else  P : =f al se  fi 

end ; 

New  P  is  true  prior  to  execu-^ion  of  S  only  if  Q  is  true  after 
execution  cf  S,  sc  we  have 

{P  (x1 , . . .  ,xm,  y1,,..,yn))  S  (Q) . 
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That  P  (x 1 , . . . , xm , y 1  , . . . , yn)  is  a  maximal  weakest  pre¬ 
assertion  can  be  argued  as  follows.  Assume 

{E}  S  {Q} 

for  any  E.  Ey  our  interpretation  of  axiomatic  formulas,  this 
means  that  whenever  E  is  true,  then  if  S  terminates,  then  Q  will 
be  true.  But  we  have  from  the  definition  of  P  given  above  that 
whenever  S  terminates,  then  if  0  is  true,  P  will  also  be  true. 
Thus  it  is  clear  that  whenever  E  is  true,  P  must  not  be  false,  or 
P=>P  is  true.  Thus  P  is  a  weakest  pre-assertion.  That  it  is  also 
a  maximal  weakes-*:  pre- asse rtion  follows  immediately  from  its 
definition.  Thus  cur  assertion  language  is  expressive. 

Twc  points  are  worth  noting  here.  First,  unlike  the  more 
conventional  predicat<=  calculus,  cur  assertion  language  allows 
the  definition  of  assertions  that  may  have  values  other  than  true 
or  false,  i.e.,  an  assertion  may  also  be  undefined  or  erroneous. 
In  fact,  the  pre-assertion  P  defined  above  is  undefined  if  S 
fails  to  terminate  end  erroneous  if  S  is  erroneous  (e.g., 
contains  a  type  mis-match) .  In  the  next  chapter,  our 
interpretation  of  both  assertions  and  axiomatic  fromulas  will 
reflect  the  fact  that  such  assertions  are  allowed. 

Also,  the  assertion  language  defined  above,  while  expressive, 
may  still  be  awkward  to  use.  In  a  sense,  what  has  been  defined 
is  a  sort  of  minimal  assertion  language  for  PASCAL  subset 
programs.  It  should  be  clear  that  the  language  could  be  extended 
to  include  any  other  computable  operators  desired  without 
modification  of  its  essential  structure  or  properties  (in  the 
example  of  4.5.8,  we  will,  in  fact,  use  an  extended  assertion 
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language  incorporating  a  factorial  operator) .  The  addition  of 
mere  operators  would  also  increase  the  number  of  cases  involved 
in  the  structural  inductions  of  Chapter  5,  so  the  language  used 
as  the  basis  of  the  axiomatic  definition  will  contain  cr.ly  the 
operators  found  in  the  PASCAL  subset  expression  syntax. 

We  now  present  the  axiomatic  definition  of  the  PASCAL  subset, 
again  with  informal  commentary  on  the  interpretation  of  the 
formulas, 

4.5.3  The  semantics  c f  simple  statements 

In  the  axioms  and  rules  of  inference  to  follow,  P,  Q,  and  E 
arf=  used  *c  stand  for  arbi-^.rary  assertions: 

C^<exD/id>}  id  :=  exp  fE} 

wh^=re  E<'=xp/id>  is  the  result  of  replacing  all  free  occurrences 
of  id  in  E  with  exp  (with  appropriate  renaming  of  bound  variables 
if  n.'^cessary)  ,  In  the  next  chapter,  we  will  give  a  more  formal 
and  detailed  definition  of  syntactic  substitution . 


{E<  (idr  i<-‘=‘xp  ]) /id>}  id[  i  ]  :  = 

We  view  array  a 
new  array,  iden 
array,  except 
changed  to  the  v 
side  expression. 
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{P}  null  {P} 

and  P<in  f#inl  /id»  read  id  {P<  (id  |  |  in) /i n ,  #in-«-1  /#in>') 


statement  has  rwo  effects:  xhe 
next  element  of  the  file  is  assigned  to 
the  variable  and  the  input  file  is 
shortened.  The  substitution  in  the 
precondition  expresses  the  effect  of  the 
assignment,  the  substitution  in  the 
postcondition  that  of  the  shortening  of 
the  file. 
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(USI  (i<3[  exp<“i r  {tir}  ]) /id} 

read  id[exp]  {P<  (id[ exp  ]  1  |  in) /in,  lin+Vlin>} 

{F< (out  I  I  exp) /out ,  lout  + 1 /#ou t>}  write  exp  {P} 

U.5. u  ^he  semantics  of  structured  statements 

{?  and  exp}  stmt1  {P} ,  {P  and  not  exp}  stmt2  {R} 

{P}  if  exp  then  stmtl  else  stmt2  fi  {R} 

{P  and  exp}  stmt  fP} 

{P}  while  exp  do  stmt  od  (P  and  not  exp} 

P  in  this  rule  is  •‘■he  so-called  "loop 
in varian-^:"  which  is  unchanged  by  each 
execution  of  the  loop  body. 

{a-^id^b}  and  P<id-1/id>}  stmt  {P} 

{P<a-Va>  and  b<a  implies  P<b/id>}  for  id :  =  a  to  b  dc  stmt  od 

where  -.he  identifiers  in  a  and  b  do  not  occur  free  in  stm 

{P}  stmn1  {Q}  ,  {0}  stm+2  {R} 

{P}  stmtl;  stmt2  fP} 

{P}  stmt  {P} 
fP}  begin  stmt  end  {P} 

4.5.5  The  semantics  of  dsclaratpcns 
4.5.5.  1  Procedure  declaration  and  call 

{P}  id(idlist1  :  idlist2)  {R}  |-  {P}  vblcck  {P}  , 

{P}  id(idlist1  :  idlist2)  {R}  |-  {P'}  pblock  {P  • } 

{P'}  procedure  id(idlist1  :  idlist2)  ;  vblcck;  pblock  {P'} 


{P<b/i 
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Here  P  and  P  are 
invariants,"  which  are 
the  recursive  invoc 
procedure,  where  P  and 
the  parameters  cf  the 
the  input/output  files, 
not  refer  to  any  other 
Moreover,  P  must  refer 
in  and  #in  if  any  read 
in  the  procedure  body  v 
l£2?i  write  s 

vblcck.  This  is  requ 
that  +:he  input  an 
implicit  arguments  to 
are  changed  by  the  proc 


the  "recursion 
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i .  e . ,  they  do 
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statements  occur 
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{P}  id(id1:id2)  {P} 


{P<id'!  Vidl,  e/id2>}  id(id1*:e)  {P<id1'/id1,  e/id2>} 

Parameter  passing  can  be  seen  as 
replacing  th'^  arauments  for  the 
parameters  in  the  pre-  and  post¬ 
assertions.  We  will  require  that: 

1.  all  of  the  components  of  idl'  be 
ciistinct  identifiers,  and 

2.  no  member  of  idl*  may  appear  in 
e. 
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4 . 5 ,  5 . 2  Variable  declaration 

{P<z1/id1,  72/id2>}  Iblock  {P<2l/x1,  z2/x2>} 


{P}  idl;  array  id2;  Iblock  {P} 

where  z1,  z2  do  not  occur  free  in  P  or  R  and  do  not  appear  in 
he  label  block  body.  Also,  either  the  yar  or  array 
eclaraticns  may  be  omitted. 
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4.5. 5. 3  label  ^fclaration  and 

{P}  stmt  {H}  ,  {P}  aoto  id  {false}  |-  {Q}  Iblock  {F} 


{Q}  label  id:  stmt;  Iblock  {R} 

If  prior  to  each  execution  of  a  transfer 
of  control  -^o  the  label,  the  required 
precondition  is  true  (P  in  the  rule 
above)  and  if  execution  of  the  labelled 
statement  and  normal  termination  of  the 
body  both  produce  the  required 
postcondition,  then  the  label  block 
produces  -^he  desired  postcondition  from 
the  precondition  of  the  block  body. 


4.5.6  _;;[he  semantics  of  £rcqrams 


{P  and  lout=C}  procedure  id;  vblock;  beqin  id(:)  end  (F) 

{P}  ^<^5  vblcck.  {F} 

Programs  can  be  viewed  as  procedure 
declarations  of  the  program  body 
followed  by  a  procedure  call  of  the 
body.  If  assuming  that  the  output  file 
is  empty  is  sufficient  to  guarantee  th'^' 
desired  result,  then  the  program  is 
correc+ . 

4. 5.  "7  Pule  of  consequence 

If  P  implies  F  and  S  ijujolies  0,  then 
{F}  stm-  {S} 

{P}  stmt  {0} 

4.5.8  Two  sample  proofs  and  discussion 

In  this  section,  we  will  ccnclude  the  presentation  of  the 

axiomatic  definition  of  the  P?;SCAL  subset  by  giving  two  proofs  of 
the  correctness  of  fairly  simple  example  programs.  A.ddit  iona  lly , 
we  will  discuss  in  more  detail  the  rules  of  inference  for 
procedures  presented  above.  These  examples  are  selected  not 
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b=c?.u?e  of  any  interest  in  the  programs  themselves,  but  because 
together  these  programs  incorporate  most  of  the  control 
constructs  found  in  the  PASCAL  subset.  Thus  readers  unfamiliar 
with  formal  proofs  of  program  properties  may  gain  a  better 
feeling  for  how  the  axioms  and  rules  of  inference  given  above  may 
actually  be  used. 


Our  first  example  program  is  the  following,  which  obviously 

prints  'The  values  of  the  first  ten  factorials. 

prcaram  FrintFactor ials; 

III  -tif 

'^act(n:m)  ; 

be^ir 

i f  m  =  C  then  n  : =  1 
else  Fact(n:m-1);  n:=n*m  fi 
end  ; 
be£in 

for  i : = 1  to  10  do 
Fact  ( j: i)  ; 
write  j 


pd 

end. 

The  proof  of  •^he  correctness  of  the  program, 
establishing  that  it  does  print  the  first  ten  factorials,  will  be 
done  in  three  basic  segments: 

1.  We  first  assume  that  the  procedure  Fact  is  correct, 
i.e.,  Fact(n:m)  comput^^s  n=m.' ,  and  show  that  the  body  of 
the  proorara  (the  for  loop)  prints  the  factorials  as 
desired. 

2.  We  then  assume  the  correctness  of  Fact  to  show  +hat  the 
body  of  the  procedure  Fact  is  also  correct. 

3.  Finally,  we  apply  the  rules  of  inference  for  procedure 
declaration  and  programs  to  show  that  the  preceding 
steps  guarantee  -^he  correctness  of  the  program. 
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To  make  the  proof  easier  to  read,  we  first  introduce  the 
following  rotational  convention. 

Notation:  The  predicate  ProperFile (i)  is  defined  as 

(¥k[1;i]  out{k}  =  kj)  and  #out  =  i, 
i.e.,  the  first  i  values  in  the  output  file  are  1.',  2J  , 
i!  and  the  current  length  of  the  output  file  is  i. 


-he  program  is  correct,  relative  to  th^  correctness  of 

Fact . 


{true}  T^act  (r. :  m) 

{n=mJ} 

[ a  ssump.  ] 

1) 

{ProperFile  (i-  1) 

and  1=i.M  write  i 

{P  roperFile  (i ) } 

[write,  corse  q.  } 

(1.2) 

{ProperFile  (i- 1) } 

Fact  ( j : i)  {Prope 

rFile(i-l)  and  i=i.M 

[1,C,  proc.  call,  inv.] 

(1.3) 

{ProperFile (i-1) 

and  1<i<1C} 

Fact(j:i);  write  j  {ProperFile  (i) } 

[1.1,  1.2,  s'^q.,  ccr.seq] 

(l.ti)  fProperf ile  (C)  and  (1C<1  implies  ProperFile  ( 10)  )  } 

for  i:  =  1  to  1C  do  ...  od  {ProperFile  (1 C) } 

[1.3,  for  1 

(1.5)  (icut  =  0}  for  i:  =  1  to  1C  do  ...  od  {ProperFile  ( 1C) } 

[  1 . U,  conseq.  1 

0 . F. D .  step  1 . 


2 

CO 

:  The 

rrectnes 

procedure  bcdy 

s  of  Fac*. 

-  s 

correct,  relative  “^o 

-he 

(2.0) 

{true}  Fact(r:m)  {n=mJ} 

[ a  ssump. } 

(2.1) 

{m  =  C 

and  1=m.'}  n:  =  1  {n= 

m  .'} 

[ assign. ,  conseq. 

] 

(2.2) 

{nc;^ 

(m  =  C)  and  n*m=m.'} 

n:=n*m  {n  =  m.'} 

[assign.,  consec. 

] 

(2.3) 

(not 

(m  =  C)  }  Fact  (n  :  m -  1) 

{not 

(m=0)  and  n=(m-1).'} 

[2.0,  proc.  call. 

inv. 

(2.4) 

{not 

(m  =  C)  }  Fac^  (n  :  m -  1) 

•  n  *  = 

f  • 

n*m  {n=m!} 

[2.2,  2.3,  seq.] 

(2.5) 

{true}  if  m=C  then  ... 

else 

. . .  f i  {n=m! } 

[2.1,  2.4,  if] 

0. F. P. 

step  2. 
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S*e£  3:  Putting  it  altogether 

(3.0)  {Jout  =  0}  Erocedure  Fact;  ...;beain  ...  end  {Proper File  ( 10) } 

[1.0,  2.0,  1.5,  2.5,  proc. decl 


(3.1)  {#out=0}  v^r  i,j;  Eiocedure  Fact  ...  end.  {ProperFile (10) } 

[3.0,  var .  dec' 1] 

(3.2)  =  0)  PrintFactorials  [Propsr'p’ile  (1 0)  } 

[ assump .  ] 

(3.3)  {loul,  PrintFactorials;  ...; 

begin  PrintFactorials  end  [ProperFile (10) } 

[3.1,  3.2,  proc.  decl.] 

(3.4)  [true]  urogram  Print Facx or ials ;  ...  end.  [Proper File ( 10) } 

[3.3,  pro  gram  ] 

Q.  F,  D,  step  3 . 


The  second  example  is  a  program  fragment,  a  procedure  to 

determine  if  its  argument  is  a  prime.  The  variable  parameter 

flag  is  set  to  1  if  the  number  arg  is  a  prime,  0  if  i-^  is  not. 

The  mosr  important  aspect  of  this  example  is  its  use  of  the  rule 

cf  inference  for  labels, 

PrimeTest  (flagtarg)  ; 
var  t'^st; 

label  NctPrime :  flag  :=  0; 
begin 

while  tcist<arg  do 

if  arg  mod  test  =  C  then  goto  NotPrime 
else  test  :=  test+1  fi 
od ; 

flag  :=  1 
end 

Obviouslv,  the  procedure  is  correct  if  the  procedure  body  has  the 
following  property: 

[true]  var  test;  label  Nctprime:  flag:=0;  begin  ..,  end 

[(flag=0  and  not  Prime (arg))  or  (flag=1  and  Prime  (arg))} 


where  Prime  (k)  is  defined  as 
Vi[2:k-1]  k  mod  i^O 

The  proof  of  the  correctness  of  the  procedure  body  follows. 
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(C)  {not  Prime  (arg)  }  flag;=0} 

{ (f lag=0  and  not  Prime  (arg))  or  (flag  =  1  and  Prime  (arg) ) } 

[assign.  ,  conseq.  ] 


(1)  {Vkf 2 : te St - 1  larg  mod  k^O  and  arg  mod  test  =  0} 

flag :=0 

{(flag=0  and  not  Prime  (arg))  or  (flag=1  and  Prime  (arg))} 

[ G ,  conseq. ] 


Now,  the  precondition  of  (1)  will  be  used  as  the  assumed 
preccnditicn  for  the  jump  in  the  body  of  the  loop. 


(2)  {¥k[  2 :test-1  }  arg  mcd  k#C  and  arg  mod  test  =  0} 

goto  NotPrime  {false}  [assump.  } 


(3)  {¥k[  2 :  t<=st“  1  ]  arg  mod  k^C  and  arg  mod  test  =  0} 

goto  NotPrime  {¥k[ 2 : test  ]arg  mod  test^O} 


[ 2,  conseq. ] 


(a)  [¥k[2  : test-1  ]arg  mod  k#0}  if  arg  mod  test  ...  fi 

{¥k[  2  : -^est- 1  1arg  mod  k=^G}  [3,  assign.,  if} 


(‘^)  {true}  *es*:=2;  while  ...  gd  {¥k[2:arg-1]  arg  mod  k#G} 

f  a,while,seq.  ,cons. 


(6)  {true}  begin  ...  flag:=1  end 

{ (flaq=0  and  not  Prime  (arg))  or  (flag  =  1  and  Prime  (arg))}  | 

[5, ass.  ,sea.  ,ccns.  ,l 


(■7)  {tru'^}  van  test;  label  NotPrime:  ...  end 

{ (f lag  =  G  and  not  Prime (arg))  or  (flag=1  and  Prime  (arg))} 

r 1,2,7,lsbel,var.  ] 


One  final  comm^^nt  about  the  rules  of  inference  for  procedure 
call  and  the  rule  of  "procedure  invariance"  is  in  order.  In  our 
axiomatic  definition,  we  have  split  the  definition  of  the 
semantics  of  procedures  into  two  components,  "Pirst,  the  rules 
for  proc-^dure  declaration  and  call  describe  the  effect  of  a 
urocedure  in  t-rms  of  its  effect  on  its  parameters.  Thus,  we 
reauire  that  the  pre-assertion  and  the  post-assertion  for  a 
procedure  be  given  using  only  the  variables  specified  in  the 
Darameter  list,  along  with  the  input  and  ou-^put  files  (which  can 
b-^  regarded  as  implicit  parameters  to  the  procedure).  Then, 
since  the  other  aspect  of  the  semantics  of  procedures  is  that 
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they  can  have  no  effect  other  than  their  effect  on  the  arguments 
of  procedure  calls,  we  have  introduced  a  separate  rule  of 
"procedure  invariance." 

The  use  of  two  rules  of  inference  for  procedures  seems  to 
have  two  major  benefits.  First,  an  important  technical  effect  of 
this  use  of  two  rules  is  that  the  rule  for  procedure  calls  is 
simplified  over  that  of  [Cook  1975],  making  both  the  presentation 
of  the  rule  in  this  chapter  and  the  proof  of  its  validity  in 
Chapter  5  easier  to  give.  Also  these  two  rules  of  inference 
seem  to  capture  the  way  we  informally  understand  how  a  procedure 
works.  The  important  aspect  of  encapsulation  of  a  piece  of  code 
as  a  procedure  is  that  the  values  of  most  of  the  variables  in  a 
program  are  irrelevant  to  gaining  an  understanding  of  the 
procedure;  the  only  values  that  matter  are  the  values  of  the 
parameters.  The  rules  of  inference  given  above  seem  to  capture 
the  intuition  behind  this  informal  process  nicely. 
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Chapter  5 


ConsisteriCy  of  the  PASC?-L  Subset  Definitions 


Tr.  -^he  previous  chapt-^r,  we  presented  mathe  rra*  ical  and 
axioira-^ic  defini-^icns  of  a  t^?SCAL  subsee.  '^he  purpose  of  this 
chapr^^r  is  to  prove  formally  that  the  def ini-ions  are  consis-.ent, 
i , ,  tha-^  the  axioms  and  rules  of  inference  used  to  defin*^  -he 
^xioma-ic  s-mantics  of  the  langueae  are  valid  with  respect  to  th'^ 
model  provided  by  -^he  mathematical  definition  of  the  lanquage. 

The  proofs  of  consistency  given  in  this  chapter  will  involve 
a  good  deal  of  -edium,  primarily  because  of  the  £i7«=  of  -her 
languag-  defined  in  Chap-^ar  .  Tn  particular,  the  siz^^  of  -^he 
languag-  means  that-  each  of  the  many  induc-^icns  on  the  elements 
of  -h^  syntactic  domains  will  have  several  cases  to  be  check-d, 
""his  illustrates  one  of  the  major  problems  in  the  definition, 
design,  or  use  of  a  programming  language.  Any  language  consists 
of  a  rather  "mix-d  bag”  of  constructs  and  features,  of  which  a 
f^w  are  nocessary  c  provide  the  appropriate  d-gree  of 
ncxpr-ssive  powor"  and  the  rest  are  provided  to  make  the  language 
sui-abl-  for  -^he  mere  mortals  who  must  use  it  to  write  programs, 
for  example,  our  subse-^  of  PT^SCAL  could  easily  be  reduced  to 
a  ssior  men ,  input/outpu-^ ,  conditional,  and  while  ste-^eraents 
wi-^hou-  less  of  expressive  power.  To  th=  most  extreme  structured 
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Drcoramminq  puris'^'s,  this  woul^  still  be  a  usable  lar.guag^. 
How^v'^r,  i*  would  certair.ly  be  stretching  a  point  to  advertise  i* 
as  "a  PASC.^I  subset."  The  size  of  the  effort  involved  in  pro  vino 
•^he  definitions  consistent  and  the  relative  simplicity  of  th- 
proof  techniques  need*=d  to  complete  the  proofs  suggests  that 
proving  properties  of  programming  language  definitions  may  b^  one 
ot  -he  tasks  best  suited  to  the  use  of  machine  assistance  -^c 
reduce  the  effort  involved  in  generating  or  checking  proofs  of 
shallow,  bu-^  necessary,  lemmas  and  theorems. 

To  prove  the  definitions  consistent,  we  adopt  th=  followino 
basic  approach: 


1 . 

We  provide  an  inter 

pr station  of 

the 

assertions  of 

t  h^ 

axiomatic  definition  i 

n  terms  of 

the 

doma ins  of 

the 

mathematical  defini-^ion,  i.  e,  ,  we  define  assertions  as 
continuous  functions. 

2.  Usina  a  technigue  similar  to  [  Lauer  w^  giv^  an 

interpretation  of  t^e  formulas  of  the  axiomatic  system 
as  s+atements  in  the  predicate  calculus, 

3.  We  tp_pr  prove  -^hat  the  axioms  and  rules  of  inference  are 
valid  with  r-spect  +o  their  interpretation,  i.^.,  the 
axioms  are  -^rue  end  tp^  rules  of  inferenc-^  preserve 
truth. 

We  b^gin  by  giving  an  interpretation  of  assertions  in  t^rms  of 
*he  domains  of  the  mathematical  definition. 

5,2  "hf 

In  Chapter  U  we  described  the  syntax  of  tp^  assertion 
lanauage  used  in  the  axiomatic  definition  and  gave  an  informal 
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descrio'^ion  of  th®  ineanina  of  each  of  *he  constructs  in  the 
languaq=>.  Here  we  present  a  fornal  definition  of  the  meaning  of 
assertions,  using  a  mathematical  definition  in  terms  of  the 
domains  presented  in  Chapter  u. 


To  begin  wi-^h,  we  present  -^he  abstract  syntax  of  the 
assertion  language  as  a  syntactic  domain,  similar  to  those 
presented  in  U,n,2.  1.  First,  however,  we  give  a  new  definition 
of  -^he  syntactic  domain  Frp  of  expressions  to  include  thos<=^ 
'^xt^rded  ^expressions  allowed  in  the  assertion  language. 

Fxp  =  T 
t  N 
+  eof 

t  fid  X  Varg] 

+  fUop  X  "^xpl 
+  f Bop  X  Fxp  X  Fxp] 

+  Var'  "^hs  ex-^  ended  domain  of  variab 

Var*  =  fid  X  Fxp  x  Fxp  x  Fxp]  altered  arrays 

t  fir.  X  Fxp]  input  file  selections 

t  f Cut  X  Fxp]  output  file  selections 

t  Var 


In  =  in  input  sequence  expr^^ssions 

t  fFxp  X  In] 

Out  =  oui_  output  sequence  expressions 

t  f  Cu*  X  Fxp  1 

-^st  =  Fxp'  asser'^ions 

t  f  not  X  Ast ] 
t  fEinop  X  Ast  X  Ast] 

+  f  0*  X  Id  X  ■^xp*  X  Ast] 

+  fQt  X  Id  X  Fxp  X  Fxp  X  Ast] 

Pinop  =  {and,  or,  im£li£s] 


Ot  =  fv,3} 


Before  pivina  the  s'=man'^ics  of  assertions,  we 


r.  =w  clauses  of 
expressions  defined 
function  over  lists. 


•^o  define  -^he  meaning  of 
above.  To  do  so,  we  will  use 
For  any  domain  D*,  we  define 


first  present 
the  extended 
the  following 
Size  :  D*-  >In  t 
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tc  produce  the  nuirber  of  elements  of  D  in  its  atgument.  Also, 
will  use  the  auxiliary  function 

NewFile:  fin  +  Out]  ->  f  fr.v  ->  [S  ->  Val=^]] 
c  produce  the  seauence  defined  by  sequence  expressions  involving 
"h^  input  and  output  files.  NewFile  is  defined  as  fellows: 
New'p'ile^in^  Ce  ;  s)  =  si 
NewFilei:out>  (e ;s)  =  sc 


N -'^wFilefexpl  I  in>  (e  ;  s)  = 

let  V  =  Nefexp>(e;s)  ; 

f  =  New^ilef in> (e ; s) 
in  (Vf  f) 

N=w'Pi  le< ou-^  I  I  exp>  (e  ;  s)  = 

1^1  V  =  Fefexp^  (e;s)  ; 

^  =  N€W^ile<cu*>  (e  :  s) 
LH  (V  f  f ) 

n‘=w  clauses  of  are: 


M' 

K(i 

d[ 

e  xd''<- 

exp 

2  ])  [  exD3 

(-;3) 

= 

le 

-  v1  = 

i:exp1>  (e 

:s)  to  2 

Hi; 

v2  = 

f -^-xp  2>  f‘- 

•  c*  \  • 
f  ^  f  $ 

v3  = 

Ne 

i:exp3>  (e 

;s)  to  I 

nt 

in. 

(val  u 

G  V 

1/  v2,  V. 

3)  : 

if 

sv-f 

id>  is  T: 

r.^->Val 

hen 

s 

'  v<(:id>  (v: 

3) 

w 

here  s'  = 

=  s[id(v 

1) 

els 

N- 

=fin 

{<= 

rp)  >  (e 

:?) 

- 

le 

t  V  = 

Mef 

<^-xp>  (e ;  s] 

1  *0  In*: 

e  = 

New 

■'^ilei:in> 

(e  ;s) 

in 

(va  lu 

^  -P 

CT  J_ 

,v)  : 

if 

V  > 

Sire  (f) 

then  - 

^1  s 

e  f 

fSize  (f)  ■ 

-v  +  1} 

Ll 

ou 

b{ 

exp}>  ( 

^  •  c: 

)  = 

le 

1.  V  = 

Mi 

^xp>  (e; si 

I  to  In* 

• 

♦ 

e  = 

New 

■P’1 1<=  <out ' 

f  (e;s) 

in 

(va  lu 

e  f 

rV)  : 

if 

V  > 

sire  (f ) 

then  * 

els 

9  f 

fvl 

Nef#! 

£> 

(e;s) 

—  C 

— 

ire  (si) 

Me<#o 

ut 

>  (e;s) 

= 

Si  re  (sc) 
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The  close  relationship  between  assertions  and  PASCAL  Boolean- 
valued  expressions,  which  we  'exploited  in  the  previous  chapter  to 
arque  -^.he  expressiveness  of  rhe  assertion  lanquaqe,  suggests  rhat 
we  defin‘d  cur  interpretation  function  I  to  have  functionality 

r:A*st  ->  f  Env  ->  [S  ->  Bool  ]] 

for  -h^  domains  Env,  S,  and  Pool  defin-d  in  ii.4.2,2.  Ncte  ^he 
similarity  b‘=tweer  the  functionality  of  I  and  that  of  Ee  given  in 
4.4.3.  .'®gain,  we  give  th^^  definition  of  I  by  cases  in  *-he 
svntactic  clauses  of  Ast.  In  the  definition  b^low,  we  will 
-define  -he  meaning  of  the  connectives  and,  or,  not,  and  i mplio-s 
i’'.  tcT-jps  Qf  subsidiary  functions  And,  Or,  Not,  and  Implies,  wp 
w'll  simply  assume  t^at  these  functions  are  continuous  extensions 
of  usual  logical  operations  (in  the  cases  of  And,  Or,  and 

Not,  we  will  assume  that  functions  are  also  -he  ones  used 

-c  give  the  meanings  of  the  PASCAL  subset  operations  S,  |,  and 

-•)  . 

I<exp'>(e;s)  =  Mef  exp  '  >  (e  ;  s)  2° 

■fno-  ast>  =  No- (I<ast>  (e  ;  s)  ) 

I<ast1  and  ast2>(e;s)  =  And  C^i^ast  (e  ;  s)  ,  I^ast2>  (e ;  s)  ) 


Ifasti  or  ast2>(e;s)  =  Or  (I^a  st  1  >  (e  ;  s)  ,  If  ast  2>  (e  ;  s)  ) 


Ifast 1  implies  ast2>(e;s)  = 

Implies(Ifast1>(=“;s)  ,  Ifast2>  (e;s)  ) 


~fVid€==xp*  ast>(‘=;s)  =  Te stTr ue  (e xp*) 

where  rec  func  TestTrue  (J^x£*  •  | 

bfgin 

LI  X  is  Expo  thpn  tru<= 

else  A.nd  (If  ast  >  (e  ;  sr  id  <-Nef  hd  (x)  >  (e  ;  s)  ])  ,  Test  True  (-1  (x) ) ) 
end  j 

I 

Boun.d-d  universal  guantif ication  over  a  s«=^t  ! 

ot  expressions  is  evaluated  by  ’’anding"  the  ! 
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test  for  each  expression  in  the  exp*  list. 
Note  -i-hat  because  we  hav^  a  finite  list  of 
expressions,  this  term  has  a  fini-^.e  number  of 
components. 


If3i3eexp*  ast>(e;s)  =  TestFalse  (exu*) 

TestFalse  (Fxp*  x)  : 

be^in 

L^.  X  false 

1  s  e 

Or  (Tf ast>  (e  ; s[  i d<- Mef  hd  (x)  >  (e ;  s)  ])  ,  TestFalse  (^1  (x)  )  ) 

end 

Fxisten-^ial  quantification  is  similar,  only 
the  terms  are  "cred",  rather  than  "anded." 


r<¥i d[ exp  1 : exp2  1  ast>(e;s)  = 

111  =  Mefexp1>  (e:  s)  to  Int; 

V-  =  Mei:exp2>  (c  ;s)  to  In* 

“I  v2)  :  becin  locuTrue  ( v1 , v2) 

where  rec  func  LoopTrue (x 1 , x2) : 
beqin  if  xl>x2  then  true 

else  A.nd  (I <3st  >  (e  ;  sf  id<-x1  ])  ,  LoopTrue  (x1+ 1 , x2) ) 

end 

f  nd 

I.qain,  we  define  universal  quantification  by 
a  function  that  i-^erates  over  the  elements  of 
the  set  and  ’’ands”  the  terms. 


I  <3i  dr  exu  1  :  exp2 1  as-^>(p:s)  = 

111  =  ll'f  -  xp  1  >  (e  :  3)  to  Int; 

v2  =  Nef  exp  2>  (“  ;  s)  Ic  In* 

(Yllill  v2)  :  beq^n  Lo opFa Ise  (v  1 , v2) 

Hhlll  111  fiHl  Locp'^^a  Ise  f  x1 ,  x2)  : 
beqi  n 

if  x1>x2  then  false 

else  Crflfast^  (e;£[id<-x1]) , Loo pF else (x1  +  1 ,x2)  ) 
end 

end 

Existential  quantification  is  as  above,  only 
the  tes*s  are  "or^^d"  * oge't'her. 

Nc*e  *ha*  cur  use  of  bounded  quantification  makes  it  easy  to 
d^=:fine  the  m^anina  of  asser*icns  as  continuous  functions  over  th“ 
domain  Pool.  The  continuity  of  I  will  be  of  particular 
importance  in  the  fix<^d  point  inductions  given  below. 
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5.3  Substitu-^icr. 


Before  turning  +c  the  meaning  of  axiomatic  formulas,  one 
final  aspec*  cf  assertions  needs  to  be  formalized,  that  of 
syntactic  substitution  in  assertions.  Our  assertion  language 
allows  rwo  forms  of  substitution; 

1.  that  of  the  substitution  single  expression  for  an 
identifier  (used  in  the  assignment,  read,  and  writer 
axioms  and  the  rule  of  Inference  for  the  for  stat^^ment)  , 
and 

2.  that  cf  the  simultaneous  substitution  of  a  sequence  of 
‘expressions  for  a  sequence  of  identifiers  (used  in  the 
proc<=dure  call  and  variable  daclaraticn  rules  cf 
inference) . 

We  firs-^  give  a  mcr“  formal  definition  of  simple  substitution  and 
then  describe  the  meaning  of  simultaneous  substitution. 

Simple  substi-^uticns  all  hav^  the  form 

<expression>  <  <ter m>/<iden t if ier>  > 
where  <term>  is  "^he  syntactic  class 

<t^rm>  ::=  <expressicn> 

I  (<ident if ier>f <expre S3ion>  <-  <expression>  ]) . 

The  second  ccmponef^  cf  <term>  represents  the  "altered  array" 
expressions  used  to  define  array  assignment  and  array  element 
read  s-^a*ements.  Tc  define  simple  substitution  in  reasonable 
detail,  we  will  usf=  a  syntax  similar  to  that  used  previously  to 
give  mathematical  seman.'^ics.  Note,  however,  that  we  ere  no* 
defining  a  continuous  func-^ion 

Sub:  Bxp  ->  flerm  ->  [Id  ->  Bxp]], 
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cor.  ver.ie  nee 


(the 


Term  =  Exp  + 
but  are  simply  using  the  same 
continuity  of  substitution  is 
usina  Remains  to  define  -^he 
’’error”  element  of  •’rhe  domain 
substitutions.  The  meaning 
cbvious;  we  present  •^he  defin 
interestina  cases,  including 
variables. 


[Id  X  Exp  X  Exp], 
syntactic  form  for 
of  no  importance) .  Since  we  are 
abstract  syntax,  w^^  will  use  t,  -^he 
Exp,  as  the  result  of  erroneous 
of  substitu-ion  in  most  cases  is 
•’•ion  only  for  the  few  relatively 
all  cases  of  substitution  involvina 


id  (9xp=’')  <term/id  ’  >  =  id  (e  xp*<term/id  ’  >) 

Substitutions  ar<=  not  made  for  the 
function  iden'’’ifier  in  a  function 
designator . 


id<term/id '> 


if  id=idi  then  term  else  id 


'’"his  clause  defines  the  substitution  of 
expressions  for  identifiers. 


idrexp]<‘=xp^/id’>  = 

id  =  id’  then  t  else  id[  exp<exp '> /id  ' >  ] 

.Attempt.ina  -^o  substitute  a  simple 
expression  for  the  array  identifier  in 
an  array  component  expression  is  an 
error . 


i df  exp  ]<  (i  d  ’ [  exp  1  <-exp2  ]) /id  ’  >  = 

(id<(id’[expl<-exp2])/id'>)[exp<(id'[exp1<-e"xn21)  /id  '  >  ] 

For  array  elem‘=n‘^  selections,  substitute 
’’altered  array”  expressions  in  both  the 
array  iden'^ifi^^r  and  -^h^  index 
^ xpr ■=ssi or. . 
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(¥id€6xp*  ast )  <exp ' /i <3 ' >  = 

¥icl”e<rxp*<exp  ' /i  <3*  >  ast<id"/id><exp ' /id '  > 

where  id"  is  r.o+  in  exp. 

This  is  the  "renaming  of  bound 
variables"  op^^ration  used  informally  in 
Chapters  2  and  ii,  Pemember  that  id  is 
not  allowed  to  occur  in  any  of  the  exp*. 

defin'=  simultaneous  substitution  of  a  sequence  of  expressions 
^cr  a  seauence  of  iden-*- if iers  usina  our  previous  definition  of 
simple  substitution,  we  apply  the  following  procedure.  First, 
for  each  identifier  for  wlich  a  substitution  is  to  occur, 
substitute  a  new  identifier  no*  appearing  in  any  of  the 
exprp^seions  tc  be  subs-^it  uted .  Then  substitute,  one  a”  a  time, 
*h='  expressions  for  *he  new  identifiers.  Since  the  process  is 
simple  tc  say  bu*  would  be  tedious  to  give  formally,  we  do  nor 
pres^n*  its  formal  description,  but  will  simplv  assert  that  it 
defines  simultaneous  subs  tit  u-*- ion  consistent  wi*h  th=^  desired 
properties.  Pelow,  we  will  also  assume  that  simul‘an<=ous 
substitution  is  defined  only  in  cases  where  all  of  the 
identifiers  for  which  subs*i tu*ions  are  to  be  made  are  distinct. 
Otherwise,  the  "errcnecus"  assertion  is  produced, 

5 ^  IlllFPrf Nation  of  *  he  axi omat ic  formulas 

Pem'^mb^r  that  cur  informal  interpretation  given  in  the  previous 
chapter  fcr  th<=  formula  {P}  J-  {0)  was  "if  P  is  true  prior  to 
ex=^cution  of  t  and  P.  terminates,  tv.en  Q  is  true  after  execution 
of  "  We  first  aive  a  mere  accurate  informal  description  of  the 
axiomatic  formulas  and  •‘■hen  describe  their  meaning  formally. 
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The  label  declarah ici;  rule  of  inference  given  in  Chapter  4 
illustrates  ■^h‘=  problem  wi-^h  cur  original  int  erpr<=tat  ion. 
Fememb^r  *hat  the  rule  of  inference  for  label  declarations  was 
{P}  stmt  {P]  ,  {^}  acto  id  {false}  1-  (P'}  Iblcck  (R) 

(F ' }  label  id:  stmt;  lb lock  (P} 

^■■'cw,  con£id<=r  the  as£‘=rticn 

{fals‘=}  , 

which  we  use  as  an  assumpticr  to  prove  the  bodv  of  -he  label 
block  -o  be  ccrrec^.  -ppiy^pg  pr-^'Vious  interpretation,  this 

m-ans  -ha-^  if  ^o^^o  id  terminates  (i.e.,  produces  a  final  sta-e), 
-hen  t  =  pc  true  of  -^h.at  final  state.  This  implies  -ha-^  3222 

sta-emer.ts  never  t^rmina-^e,  since  false  can  never  be  tppp, 

-his  is  obviously  no-  the  case. 

This  suggests  tha-,  in  fact,  axiomatic  formulas  hav'^  a 


3 1  io  h  1 V 

mor=  compl'^x  mear.ina 

■^ha  n 

was  given  in  cur 

pr‘='V 

ic  us 

informal 

inr erpr  e'^a*  f  0  n.  A. 

more 

accurate  in*  ercr'^ta 

-ion 

of 

{n  2  {0} 

is  the  follovinq. 

"If  P 

is  true  prior  to  execu 

tion 

of 

2  and  A  terminates  normally,  in  the  s‘=^ns‘=  -hat  the  next  state  men- 


xecu  ed 

is  -^h^  01;'^ 

folio  wine  .A, 

‘hen  Q 

is  true  after 

e  xecu -ion 

• 

4 

O 

Tn  this 

sense,  -^he 

assump- 

ion  used  in 

the  lab=l 

declara-^lcn  rule  is  obvicuslv  valid,  because  -.he  s-^atemen- 
follcwing  the  acto  is  n'^V‘=r  reached  after  the  transfer  of  control 
occurs,.  This  informal  int  erDre-l- a  tion  can  b«^  formal  *  red  as 
^  olio ws, 

~^m-m^er  that  the  analogue  of  the  informal  no-^ion.  of 
execu-ing  the  next  sta'^emen-  in  "^he  program  is  the  application 
the  ccn-^i r. ua- ion  in.  -h<^  mathematical  definition.  Thus,  we  define 


-IP"’- 


7^  fQ)  as 

(5.1)  ¥srP(^;s)  =>  [¥s»  r^c  M£i:A>{e;c;s)  =  c  (s  ’ )  ]  =>  0(e;s')llr 

where  w=  will  use  F(e;s)  -^c  denoi^ 

IfP>(e;s)  =  rrua 
simply  to  reduce  t  h<=  amour*  of  rotation. 

Since  we  have  restricted  our  subset  of  PASCIL  to  constructs 
which  ar*^  dete r mi rl s-^  1  c ,  for  a  aiver  envircrm.ent  and  sta-^-e  -here 
will  b=  a-^  most  ore  "final  state"  s'.  There  will,  however,  be  rc 
s'  sa'isfyirq  *h-  equali-^y  in  the  fcllowing  cases: 

1.  Th'=  meaning  of  P.  is  such  that  a  continuaticn  other  than 


•t-he  one  provi-^ed 

is  used.  This, 

fcr 

example,  is  wha 

occurs  ir  *he  ca 

se  of  *he  goto  defini 

*icr . 

2. 

■^or  a  particular 

environment  and 

stat 

e,  the  meaning  cf 

is  undefined  or 

erroneous.  In 

the 

proofs  presence 

b=low,  we  will 

make  •f'reguant 

use 

cf  the  followin 

obvi ous  lemma . 

Ifmma  f :  If  ■'"or  a  particular  e  and  s,  fcr  all  c, 

MS'fA>  (e ;  c ;  s)  =  ^  (or  b)  ,  then  ■^hsr=  does  no*  exist  an  s' 
such  tha* 

¥c  (e  ;c  ;  s)  =  c(s'). 

contradiction.  Let  c  be  any  continuation  which  is 
rot  strict  on  its  argumen*  (for  example,  the  constan* 
f  unc-*-  ion 

c'  (s)  =  nil  f 

which  produces  the  emp*y  output  file  for  each  state). 
Then,  by  ^he  hypo*hesis,  we  have 

^sfA>(e;c;s)  =  t  (or  b)  . 

But  -Por  any  s',  c'(s')^*  (or  b)  • 

"■his  lemma  can  be  roughly  interpreted  as  "erroneous  computaticns 
don'*  apply  *he  normal  continuaticn."  Thus  the  interpretation 
aiv-r  above  seems  to  capture  adequately  the  notion  of  partial 
correctness  implicit  in  the  use  of  the  axiomatic  formulas. 
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5 , 5  Proof  of  cons ist enc_Y  of  the  3ef  initions 
5.5,1  Tnlro duct ion 

To  Drove  the  definitions  consistent,  we  must  prove  that  each 
of  the  axioms  and  rules  of  inference  are  valid  with  respect  to 
*he  mathematical  model.  Father  than  presenting  sixteen  long, 
rather  repetitive  proofs,  we  will 

1,  select  six  of  *he  proofs  which  exhibit  the  important 
ideas  involved  and  present  them  in  a  fairly  detailed  and 
careful  manner  (with  a  good  deal  of  informal 
commentary) ,  and 

2.  present  convincing  but  less  rigorous  arguments  for  the 
other  rules  of  inference.  "^or  these  rul-s  of  inference, 
we  will  describe  how  the  proofs  could  be  genera*ed,  but 
give  less  de'^ailed  presentations  than  those  qiven  for 
•(■he  more  interesting  cases. 

The  proofs  below  will  make  extensive  use  of  the  technigues  of 
"fixed  Doint  induction"  fManna  1914,  Milner  1972,  Park  1969]  to 
prove  Drcperties  of  recursively  defined  func-^,ions  and  "structural 
induc-^ion"  fManna  19'^ii,  Burstall  1969  ]  to  prove  prcper-^ies  of 
r-cursively  defined  domains.  Pcfore  presenting  the  proofs,  w^ 
aive  a  derailed  descrip-^icn  of  both  of  these  induction  rul‘='s. 

■'^’ixed  point  induction  (also  called  "mu-induct icn"  in  [Manna 
and  Vuillemin  1972])  has  been  described  earlier  in  Chapter  2. 
Pemember  tha"^  in  Chapter  3  we  defined  the  meaning  of  a  recursive 
d cf ir,i-T_Qp^  of  form 

f  =  rec  F(f)  (where  f  was  continuous) 

*  0  be 
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f  =  lub{F"  (b)  I  n  =  0,  1,  2,  . . .} 

where 

FO (b)  =  b 

Fn  +  1  (b)  =  (F  (b)  )  . 

Since  =^ach  element  cf  -^he  sequence  FO,  Fi,  ...  is  an  extension  of 
each  cf  the  previous  elements,  i.e. 

F'-  ap  F*^  fcr  all  i<j 

w^  can  us<=  this  sequence  as  the  basis  of  an  induction,  the  "fixed 

pcin.-^"  induc-^icn  princicl^  described  in  Chapter  2.  We  restate 

■^.he  principle  below,  b^^ing  mere  careful  to  restrict  it  -^o  th^^ 

class  of  "admissible"  predicates, 

^  predicate  P  (f)  is  said  to  be  admissible  iff  for 
ev^ry  continuous  functional  F,  if  P(P^{b))  holds  fcr  i>C , 
th^n  P{lub{F^  (b)  )  1 )  hol'^s. 

This  condition  on  the  admissibility  of  predicates  is 
analoaous  -^o  the  con-*:inu  i-^y  requirement  for  func^.ions. 
■'Essentially,  this  restriction  requires  that  tb-?  predicate  no-^ 


become  false  as 

we  pass 

to  •‘•he  limit  of 

a  sequence  of  funct 

ion 

arcreximations 

after 

having  been 

true  for  each  of 

th<^ 

aroroximatiens. 

?.  s  a  n  i 

1 lust  rat  ion  of  a 

pr^dica*e  which  is 

not 

admissible,  we  present  the  following  example,  taken  from  T Manna 

1  ■] . 

Consider  the  fac‘orial  function  defined  by 

rec  func  Fac*  (x)  :  if  x=C  Ihsn  1  alse  Fact(x-1)*x 
and  -hs  pr-dicate 

WotTotal  (F)  =  th  ere  exists  an  x>P  such  tha*^  F  (x)  =  b* 

V<^v,  for  ‘^ach  member  cf  the  segue  n.c<= 

Facto  =  func  (x)  : b 
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Fact  1 


=  ^  Facto  (x-1)*x 

« 

♦ 

• 

it  is  cl^^ar  that  Fos  Total  C^a  ct‘  )  is  true,  since  each  Fact'  gives 
^he  fac-^orial  of  only  ?•  finite  number  of  integers.  Eut  in  the 
limi"^  Not  Tot  al  (lub  {Fact '} )  is  definitely  false,  since  factorial 
is  -c-^al. 

Fcr-una*ely,  there  are  a  large  class  of  admissible 
Dr=dica*es,  includincr  all  of  the  ones  necessary  produce  th^ 

proofs  b^lcw.  We  can  now  present  -^he  fixed  porn*  induction 
principle , 

induct  ion  :  Le*  P  be  any  admissible  _  pred icat  e.  Then 
F  (b)  holds  and  F  (f  ‘  )  =>P  (f  ‘  + 1 )  /  where  f'=^'(b),  then  F(f) 
holds,  where  f  =  rec  F(f). 

Tha-^  this  irduc'icn  principle  is  valid  follows  immediately  from 
the  d-tfini-^icn  of  admissibl'^  predicates  and  the  m=anira  of  the 
recursive  definition  of  f  as  the  least  upper  bound  of  the  f 
seofuence, 

S-^ructural  induction  is  similar  to  fixed  poir.t  induction, 

only  applied  to  recursively  defined  domains,  rather  than  to 

r=cursiv'=ly  defined  domain  elemer.'^.s,  '^he  original  formulation  by 

Purstaii  ri9fQ]  was  given  in  -^erms  of  induction  over  well-ordered 

se*s;  b-low  we  will  describe  the  technigu-  in  terms  of  induction 

ov=r  recursively  defined  domains. 

F.ssume  D  is  a  domain  defined  by  an 

eauation  of  the  form  F  =  T (F)  for  some  domain  transformation 
T  (thes'=  were  defined  in  Chapter  3)  ,  and  let  P(D)  be  an 
admissible  total  predicate  (where  we  will  define  admissible 
with  rc-spect  -^o  this  induction  rule  below).  Then  if  P  (  (b)  ) 
and  F (X)  =>  P  (T  (X) )  ,  th^-  P  (P)  . 

Ff  fi nitron :  A  predica-*-e  F  (F)  is  admissible  iff  F(D'  )  for  i>C 

implies  P(Dinf),  vher  = 
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1.  r'o  =  fjb},  . 

2.  +1  =  T  (r*  )  f  and 

3.  Dinf  is  the  completion  of  the  retraction  sequence 

DO<-f 1, a1->Di<-f 2, a2->D2  ... 
for  some  functions  and  g1,g2,... 

T^gain,  cur  restriction  on  admissible  predicates  is  to  weed 
out  those  that  have  different  properties  at  the  limit.  As  with 
■^he  class  of  admissible  predicates  for  fixed  point  induction, 
•^his  class  is  large  enough  to  include  all  the  predicates  used  in 
-^his  thesis.  One  remark  is  in  order,  however,  on  the  definitions 
of  Ms,  Me,  Ma ,  and  I  aiv^n  above. 

In  giving  *he  defini-^ions  of  -^hese  meaning  functions  by  cases 
on  *h‘=^ir  svntac-^ic  arguments,  we  have  left  implicit  th‘='  fact  that 
th=se  arguments  are,  in  fact,  elements  of  a  domain  which  also  has 
-  and  b  elements.  In  the  following,  we  will  assume  that  any  of 
■f-hes'^  meaning  func-^ions  applied  to  t  or  b  produce  t  or  b  as  a 
resul-^.  This  fact  will  be  of  particular  importance  in 
e  s'-ablishing  -^he  basis  step  of  inductions. 

F. ,  f .  2  Ihf;  detailed  £rccf s 
5 , 5.  2.  1  Simplf  assioLiEHl 

present  a  proof  of  the  validi-ty  of  th<=  axiom  of  simple 
assign  men* 

{F<a  /y>}  X  :=a  {R}  , 

because  i*  is  the  simplest  axiom  with  a  ncn-trivial  proof 
(obviously  the  null  sta*ement  is  clearly  the  easiest  axiom  to 
prove  valid,  since  null  does  nothing) .  This  allows  a  chance  to 
describe  rather  completely  the  use  of  structural  and  fixed  point 
induction,  wi-thout  in* roducir. g  too  much  superfluous  detail. 
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axiom  for  simple  assignment  statements  is 
valid. 

£l22f  *  Py  interpretation  of  axiomaric  formula,  we  require 

(5.2)  Ve  ¥sr  i=<a/x>  (e  ;  s)  =>  [Vs'[¥c  Msf  x :  =a>  (e  ;  c ;  s)  =  c(s*)  ] 

=>  F  (e;s')  ]] 

We  assume  the  premise  F,<a/x>(e;s)  (remember  that  this  is 

short-hand  for  T<P<a/x>>  (e ; s)  =  true).  From  4.4. 5.3,  we  have 

ysfx: =a>(e;c;s)  = 

let  V  =  Mef a>  (e  ;  s) 

in  *  LI  ?vfx>  is  Val  then  c  Csf  x  <-  v]) 

else  t 

From  lemma  5.1,  we  know  that  if  Msfx : =a>  (e ; c ; s)  =  t  (or  b) 
for  arbi-^rary  c,  -^hen  *:he  right-h&nd  side  of  +he  implication 
is  vacuously  true,  since  no  s'  exists,  and  the  proposition 
holds.  '^hus  we  can  immediately  discard  the  cases  where  £vi:x> 
is  not  a  prcn^r  m«=mbf=r  of  Val,  i.e.,,  svpx>  is  t  cr  b. 

Also,  it  is  clear  that  if  for  all  c, 

f^sfx :  =a  >  (e  ;  c  ;  s)  =  c(s*),  then 
(F.3)  s'  =  s[x  <-  s)  1 

To  prove  *he  t ,  we  will  prove  the  stronger  result 
Ti:^<a/x>>(e;s)  =  Ti:F>(^;s'), 

where  s'  is  defined  as  above.  From  this  we  can  obviously 
deduce 

F<E/x>(e;s)  =>  R(e;s'), 

thus  Drovir.a  *  he  theorem. 

Lemma  5_^ 2 :  ‘^cr  anv  peA.st  and  a€Fxp, 

Ii:F<a/x»  (e;s)  =  IfR>(e;s'), 

where  s'  is  defined  in  line  (5.3). 

Zl22^  ’  prove  lemma,  we  will  use  a  structural  induction 

on  t^ii  form  of  F.  Fem‘='mber  that  the  domain  of  ass<=rticr.s  has 

t  h  =>  t  Q  ;r  IP 
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A.st 


=  Exp'  +  [not  X  T^st  +  [Binop  x  Ast  x  Ast] 

+  r0-^xldxl(3*x?st] 

+  r  O'*'  X  Id  X  Fxn  X  Exp  x  Asti 

•  P  ~  ]2  domsin  (b]  .  Since 

Ii:b>(e;s)  =  b  =  If  bf  a /x  ;  s) 

( W--  assume  ^ha*  subs"^  i-*- u*^  ion  produces  t  or  b  when 
subs- 1  tu-^ ina  any  expr«^ssion  in  t  or  b)  ,  th^  rhecrsm  hclds. 

•  .Assume  •'he  •^hecrem  holds  for  all  assertions  F  in 

-h"  domain  A?,  New,  we  must  show  tha"^.  -^his  implies  that 

theorem  is  also  true  for  all  asserrions  P. '  in  the  domain 

zvf  =  Exp'  +  [  n o^  X  AP 1  +  [Binop  x  AP.  x  AP] 

+  r  Q-^  X  Id  X  Exp’!'  X  AF] 

+  [  Q-^  X  Id  X  Exp  x  f^xp  x  API 

"'his  is  shewn  by  case  analysis  in  the  subdomains  of  AF'. 
■'^irs-^,  if  P'  is  an  ‘Expression  (an  a-^omic  asserticn),  we  have 
IfP'>(e:s)  =  MefP'>(e;s)  Bool, 

To  verify  “he  I'Emma  for  "^his  cas'=,  we  prove  ■‘he  fcllowir.a 
lemma,  invclvina  an  irduc-^ion  on  the  s*ruc*ure  of 
e  X nr e s  sion  s , 

•  ^C'r  any  expressions  F,  a  e  Exp  and  xSId  , 

Mef  F<a /x>>  (e  ;  s )  =  MefE>(e;s'), 
aaain  where 

s'  =  sf  X  <-  Mefa>(e;s)  ] 

2122^*  Acfain,  wc  will  prove  the  lamma  by  structural  induction. 


only 

•^his  -ime 

on 

■^he  structure 

of  -^.he  domain  ^xp 

of  ex-' ended 

e  X  pre 

s  s  i  c  n  s , 

As 

above,  th-E 

basis  step  follows 

immediately 

from 

th'EE  fac-^ 

that 

*  -  )  -  ^  -  M§f  b<^/x>l  (e  ;  s)  . 

']’h=  induction  step  assumes  he  lemma  true  fer  all  E^Exp*  and 

nr^^'ves  -^he  lemma  true  "^or  the  domain 

Exp  =  T  +  N  +  ecf  +  [Id  x  Varg*]  +  [Ucp  x  "^xp'] 

+  rPep  X  Exp'  X  Exp']  ^^ar' 
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This  can  bs  readily  dors  by  a  case  analysis  on  the  subdomains 
of  which  we  omit  to  keep  the  proof  of  this 

•theorem  to  a  reasonable  length, 

Q , I, D .  Is  mma  5,3.  - 

Lemma  5.3  establishes  lemma  5,2  for  th-^^  case  that  -^he 
ass'=‘rtior  ^  is  simply  a  PT^.SCAL  subset  expression.  To  complete 
the  induction  step  of  lemma  5.2,  we  must  prove  the  lemma  for  all 
cases  of  structured  assertions,  i.e,,  assertions  involving  the 
operators  and,  or,  implies,  or  not  or  beginning  with  quantifiers. 
The  cas^s  involving  the  logical  operators  are  obvious  from  the 
defir  i-^ion  of  -^he  meaning  of  such  assertions  and  the  truth  of 
1-mma  5,3,  The  cases  involvina  ouantification  are  more  complex 
b'^cause  of  the  recursive  definition  of  I  for  these  forms  of 
ass-^rtions.  To  prove  the  lemma  in  these  cases  necessita t -^s  fixed 
pcin*  inductions  on  *he  appropriate  clauses  of  the  definition  of 
T.  How^^ver,  -^he  truth  of  the  lemma  should  be  clear  from  the 
definition  of  I  and  the  meanina  of  substitution  given  for  such 
ass«=r“ions  in  section  5.3. 

■finally,  from  lemma  5.2,  it  is  olear  that 

F<a/x>(e;s)  =>  P(e;s'), 

so  we  have  completed  the  proof  of  the  theorem. 

0  .  F,  C  theorem  5.^1, 

5 . 5,  2.  2  Wrii:f  statements 

A  rather  detailed  proof  of  the  axiom  for  write  statements 

f P<  (oui- 1  1  exp) /cut ,  £oui^+ 1 /#ou t>}  write  exp  {P} 
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is  Disserted  as  an  example  of  proofs  cf  validiiy  of  -^he 
r Diit /out put  axioms. 

2 *  axiom  for  outpu"*"  sta'^emen* s  is  valid. 

2222f  •  ■p'rcm  U.U.5.3,  w<^  have 

'=‘xp>  (<=  ;  c ;  s)  = 

V  =  Mefexp>(^;s) 

in  (Xnin§  v)  :  if  sc  is  Val*  then  c  (  (sv, si, append (so, v) ) 

else  ^ 

Usina  lemma  5.1,  we  know  that  if 

nnl^^niin  ^xp>(e;c;s)  =  c{s’)  ,  then 

1,  Me<exp>(e;s)  *  p  (or  b)  ,  and 

2,  sc  is  a  proper  element  of  Val’*',  i.^,  not  t  or  b, 

since  *he  resul*  of  -^he  wri  +  e  statement  would  b*  ~  ci  b  in 
bo'^h  of  those  cases.  ^nd,  if  *he  preceding  conditicns  are 
rue,  we  have 

(5.5)  s'  =  (sv,  si,  aE£fnd(so,  pe<exp>  (e ;  s)  )  ) 

Aqair,  we  prove  *he  theorem  by  proving  the  strona-r  l‘-'-rr’ma: 

Ipmma  5^^:  For  all  a  in  "^xp, 

'^<P<  (put  I  1  a) /out  ,  #cut+ '' /# put >>  ( e  ;  3)  =  If?>(e;s') 

for  any  environment  e  and  store  s  (wh'=r'=  s'  is  tha-  cf  line 
(5.6)  )  . 

Bnnni  *  Again,  we  could  prove  +-he  lemma  frcm  a  structural 

induction  on  th‘=  fcrm  of  asse r**- ions,  but  -he  truth  of  the 

1-mma  is  obvious  from  the  following  obs-^^rvaticns: 

(2nt  I  I  s)  {#cut  + 1)  >  (e :  s )  = 

2£Efni  (fo,  Me<a^  (e;s))  (Size(so)+1} 

=  s  '  o  f  Size  (s  '  c)  } 

“  ( *2111^  ^  '  1 2 ’ 

2*  n2“^l22l'*’ ^  ^  (f  J  f )  ~  Size(sc)+1 

=  Size  (s  'c) 

"  n2i'l2n2^  J  s ' )  . 

3,  "^or  all  e'eSxp,  e»  (pup||a)  {^out  +  ''}  implies 

M€i:e'>(p;s)  =  Fe5:e'>(e;s')  , 

since  write  only  chances  the  last  component  of  the 
output  file. 

Q  .  I.  F  .  !<=  mma  5 .  ti , 
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from  the  lemma  it  is  clear  that  the  theorem  holds. 

Q . E. D.  theorem  5.2. 

Note  tha-^  the  proof  of  this  theorem,  and  the  proofs  of 
consistency  of  the  other  inpu^/cut  put  axioms  requir^^s  the 
in-^erpre ta tier,  of  the  PASC;^.L  arithmetic  operators  as  normal 
in-^eg^r  arithmetic.  This  is  one  place  that  seems  to  require  •'■he 
auqmer. ta-^ion  of  a  formal  logic  of  program  schemes  wi-'-h  at  least  a 
successor  •^.h^^ory  if  machine-generated  or  checked  preefs  are 
d  =sired. 

5 , 5. 2 , 3  While  £t aiemeris 

""he  rule  of  inference  ■''or  while  statements  is 
{P  and  1)  St  {P} 

fP}  b  do  St  od  {P  end  not  b} 

^.s  the  definition  cf  whilf.  given  in  4. 4.  5. 3  was  in  -^erms  of  a 
r^cursiv^^  definition,  it  is  clear  that  a  proof  by  fixed  point 
induction  is  required. 

Theorem  5_j_3:  The  rule  cf  inference  for  while  statements  is 
valid. 

•  ■p'rom  the  defini'^icn  of  while,  we  form  the  seauence  of 
approximations 

m s 1  f while  b  dc  st  cd>(  =  ;c;s)  =  c'(s) 

“  ii  !if:fb>(e;s)  tc  Bool 

then  Msf st>  (e  ; Ms '  ^[while  b  do  st  cd>(e;c)) 

“Ise  c 

and  use  the  seauence  to  prove 
(P  and  b3  st  {P}  implies 

(PI  while  ‘  b  do  st  od  fP  and  not  b}  , 
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^ron  this 


wher^  2^  represents  _^s'  for  each  i. 

we  can  deduce  the  validity  of  -^he  theorem  from  fixed  point 
induct  ion , 


■R  a  d  ’  c  ; 

f"  s®  ^  wh 

i  If 

b  do  St  od>(e;c;s)  =  b* 

f^rom  l-^mma  5.1,  we 

C^ 

n  deduce 

that 

the  tp^orem  is  vacuously 

true,  since  th^^re  is 

n  0 

s '  such 

that 

MsOi^while  fc  do  st  cd>(e;c;s)  =  c(s') 

for  all  c. 

'nfuction;  Assume  "^he  rule  if  valid  for  whilst  We  want  to 


show 

(f.7)  P(=‘;s)  =>  Wctfvc  while  h  do  s-!-  od>(e:c;s)  =  c(s' 

=  >  fP  and  no*  b)  (e;s’)  ], 

given  the  hypothesis 

{?}  • 

The  proof  is  given  by  case  analysis  on  the  evaluation  of  h. 

^£§2  1'  =  b  (or  2^  •  Since  the  conditional  is  doubly 

strict  on  its  argument,  tp^  righ^-hand  side  of  the 
implication  is  vacuous  from  lemma  5.1,  and  t^^  theorem 
fellows  trivially. 

Case  2:  Mefb>(e;s)  =  false.  ^rom  th<=  d'^'finition  of  +  we 
h.  av- 

Ms'  +  ifwh^le  b  do  s*  od>(e;c;s)  =  c  (s)  , 
and  C^.P)  r^^duces  to  shewing 

F  (e ;  s)  and  12  I!22l  ~  false  =>  (?  and  not  (e;s)  , 

since  P  is  true  by  tpc  hypothesis.  'Prem  the  definition  of  *^0 
meaning  function  I  for  assertions,  +his  is  cl<^arly  true,  so  the 
th'^or^m  hold?, 

ldS2  3:  IJffb^fejs)  =  tru=.  From  the  definition  of  Mst  +  i,  we 
h  ave 
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b  dc  St  od>(e;c;s)  = 

Msf  st>  (e  ;Msi  f  while  b  do  st  od>(e;s);s). 

P’.it,  we  kr.cw  •'-ha-^- 

1,  {P  and  b}  st  {P}  ,  and 

2.  fP}  b  st  od  (P  and  not  b} , 

f'“oin  which  we  can  readily  deduce  (5.7). 

The  'hecrem  -^hen  -follows  from  fixed  point  induc^-ion.  Note  tha-f- 
-^he  preceding  arauni‘=^nt  is  independent  of  the  particular  P  used. 
'This  can  be  done  because  *he  continuity  of  I  guaran"‘<='^s  “hat  th-^- 
predica-e  IfP>  ^  trin^  is  admissible,  thus  allowing  fixed  point 
induc-^ion  to  be  valid  regardless  of  the  particular  P  chosen. 

O.P.D  “hecr=m  5.3, 

5. 5, 2. 4  Istiable  dfclara^ior 

The  rule  of  inference  for  variable  declarations  is 
{P<7i/xl,  z2/x2»  0  I:f<7Vx1,  z2/x2M 

0  fP} 

wh'^re  z1,  z2  do  not  appear  free  in.  P,  P,  or  Q. 

Ill±21fll!  fiif*  -bs  rulf=  of  inference  for  variable  declarations  is 
valid . 


■!^roo  f :  The 

proof  of  this 

rule  depends 

pr imar 

ily  on 

the 

pr ope  rt ies 

of  subs-^i*  unions 

in  assertions. 

We 

assume 

h  = 

premise 

('^.5)  f^<z1/x'^,  z2/x2>}  0  fP<z1/x1,  z2/x2>) 

and  we  wart  “o  shew  the  conclusion 
¥o  VsrT;>(e;s)  => 

Vs'fVc  ?isfyar  x1;  array  x2 ;  Q>(e;c;s)  =  cfs’)  => 
P(a;s’T  ]]. 

Pirs"^  ,  for  anv  sta'^‘^  s,  we  define  a  new  state 

(5,  1C)  s+  =  sf  ^1  <“  sv^x1>;  z2  <-  sv-f:x2>;  x1  <-  u; 

x2  <-  (Int  i)  :  u  ] 
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for 


any  ider  +  if x1  ,  x2,  z1 ,  z2.  ^ssar.tially ,  ~+  plac-^s 
*:h-  old  value?  o-^  x1,  x2  in  7I,  z2  and  gives  undefined  for 
‘le  new  values  of  x1,  x2*  Now,  we  can  show  hy  a  simple 

s-^ruc-^ura]  induction  on  P  tha-^ 

(5,11)  P(e;s)  <=>  (?<z1/xl,  z2/x2>)  (e  ;  s+)  . 

And  *he  following  lemma  shows  that  we  can  us*^  Q  and  s+  to 
’’simulat.6"  •‘■he  ac^-ion  of 

va  I  X 1 ;  a r  r  a;y  x  2  ;  Q 

on  3. 

define  s'*"  as  in  (5,11)  an^ 

d  e  f  i  r. 

c-*-  =  f  unc  (3  s'):c(s’rxl  <-  s'vi!z1>;  x?  <-  s’v<(z2>; 

z1  <-  sv^^zl^;  z2  <-  svf72>]) 

E  ssen. iall  y ,  c*-  pu-^s  •‘■he  z  values  in  x  and  pu^s  th-  criainal 

7  valucc  back  in  7,  Th-^n, 

f  sf Q>  (e  ; c-’^;  ?■*■)  =  ^sfvar  x1;  array  x2;  Q>(e;c:s), 

2l.£.2t’  Aaair  ,  the  obvious  proof  involves  a  structural  indue- ion 

on  •^he  form  of  0.  The  lemma  is  clearly  true,  however,  since: 

.  =•*■  initially  assions  b  to  the  variables  x1  and  x2  ,  as 

does  -^h-  meaning  f un c-*- i cr.  for  d^cla ra-‘: ions. 

2,  Althouah  •‘■h‘=  variables  7I  and  z2  are  originally  changed 

in.  s+ f  c-*-  restores  their  original  values.  Since  -^.hey  do 

not  appear  free  in  0,  their  initial  value  dc-s  not 

affect  •^he  evalua^^icn  of  Q,  and  is  unchanged  in  •^h  = 

r  esul-^ . 


3 . 

In  s-*-,  ■ih‘^ 

7 1  and 

7  2  are  u  S'=^  d 

to  retain  t 

" 

crig ina 1 

values  of  xi 

and  X  2 . 

Since  z1  and 

z2  are  nc'" 

ch 

anged  by 

Of  c^*-  also  r<= 

-stores  x1 

and  x2  •‘:o  t 

heir  origin 

d  J. 

value. 

0 .  F.  P 


lemma  5.5 


New,  if  we  assume  P<z1/x1,  z2/x2>(9;s  +  )  (which  was  equivalen'^ 
P(£;s))  ,  th  we  have  by  the  premise  (5.8)  that 
_^si:Q>  (e  ;  c+ ;  s+)  =  c+(s')  =>  R<z1/x1,  z  2/x2>  (e  ;  s  ' )  . 

T^'ut,  if  ^Jsf 0>  (£ ;  c+ ;  s  +  )  =  €■*■{£')  ,  -hen 

P^sf  Q>  (e  ;  c-*-:  s+)  =  c(s")  =  P^sfvar  x1;array  x2;Q>(e;c;s) 
bv  the  definition  of  c+  and  l<=mma  5,5,  /^nd,  from  the 

definition  of  c+,  it  is  clear  that 

F<z1/x'',  z2/x2>(^;s')  <=>  R(e;s"). 

0,F,r,  theorem  5.4. 

‘^,'^.2,5  Procedure  declarai_icn  and  call 

We  hav‘=  saved  th<=  rreefs  of  consistency  of  +he  procedure 
d<^clarg-ion  and  call  rules  of  inference  until  the  end  of  -his 
s^c-icn  ^or  two  main  reasons; 

,  They  are  -he  most  difficult  of  th-^  proofs  end  seem  best 
delayed  un-^il  the  reader  could  see  a  number  of  simpler 
proofs,  and 

2,  These  proofs  are  impor-ant  uses  of  the  tools  made 
available  by  the  lat  t  ice- theoretic  approach  to  -^he 
theory  of  computation,  underlying  mathema-ical  semantics. 
The  proofs  below  will  rely  on  the  same  structural  and 
fixed  point  induction  techniques  used  above.  The  fact 
tha-  -hese  induction  principles  are  directly  motivated 
from  tpe  meanina  of  recursive  definitions  in  -he  Scott 
theory  makes  the  presentation  of  the  proofs  fairly 
straiqh tf orwa  rd  and  par'^ially  justifies  our  use  of 
mathematical  semantics  as  a  definition  technique.  A.lso, 
th^  proofs  will  be  consistent  with  our  interpretive 
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apDroach  to  semantics  and  will  net  involve  s  ubsn i-’-un  ions 
in  th«  program  text.  This  is  in  contras*  with  [Gcrelick 
■’975  and  Tgarishi,  London,  and  Luckham  1  973  1  *he 

fixed  point  induction  used  to  prove  the  validi-y  of  -^he 
crocedure  declaration  rule  is  simulated  by  definina  a 
s=guence  of  procedure  bodies  upon  which  a  similar 
induction  is  performed. 

S'nce  -^he  procedure  declaration  and  call  rules  are  closely 
related,  w=  present  -^he  proofs  of  ‘heir  consistency  ‘ogerher.  We 
beqir  wi*h  procedure  declararion. 

'^he  procedure  decle  ra i  on.  rule  of  inference  is 

f?l  id(x^:y*)  fPl  |-  fPl  vblock  {?}  , 
id(x*:y*)  f?l  |-  {^’1  pblock  {R»} 

{p'l  procedure  id(x*:v*)  ;  vblcck;  pblock 
where  p  and  P  do  not  r^fer  to  any  variables  exc^D*  x*,  and 

■^h=  innu+  and  ou-^pu-^  files. 

?^_n  informal  in-^erpr -^tat ion  of  this  rule  of  inference  will 
h  =  lp  motiva-'-e  -^he  formal  proof  of  its  validity,  Pssf^  n*ially,  we 
can  deduce  -^he  correctness  of  a  Mock  beginning  with  a  procedure 
declaration  if  we  know: 

1,  "hat  th<=  body  o"^  the  block  is  correct  r-lative  to  any 

calls  it  may  make  on  the  d'^clared  procedure  (*his 

criterion.  is  embodied  in.  the  second  premise  of  the 
rule) ,  and 

2.  -^he  body  of  -^he  procedure  is  correct,  i.==.,  i*  provides 

*h^  sta-^e  transformation  necessary  for  the  correct 

execution  of  the  block  ("^his  is  the  first  prernis-^). 
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In  our  example  proof  ir  4,5.8,  this  interpretation  appears  in  'he 
structure  of  the  firs-*-  +wc  steps  of  the  proof.  In  thi^  firs*- 
s'et>,  we  Droved  the  program  body  correct,  assuming  that  the  call 
*0  ^ac*  wi-*hir  the  body  did  the  proper  operation,  And,  in  -^he 
second  parr,  this  same  procedure  was  followed  to  show  the 
Drocedure  body  correct  (again  relative  rc  rhe  correctn'=ss  of  the 
call  -*0  Tact  within  the  body  of  the  procedure)  .  This  same 
general  no-t-ion  will  guide  the  proof  of  -^he  validity  of  the  rul^ 
of  inference  for  procedure  declaration. 


Temsmb^r  that  our  definition  of  procedure  declaration  in 
fi.4,5.?  was  *:he  following: 

Tocedurf  id(id1*  :  id2*)vblock;  pblock> ( e ; c ; s)  = 
if  NotTn  (idl’*' ,  id2=^)  ^hen 
if  Di s t inct  (i d  1  ihen 
if  ristinc*  (id2’^)  i.hen 

if  Assign sTc  (vblock , id2*)  then  t 
G 1 SG  V S  i:pblock>  (ef  id  <-  p];c;s) 
else  t 
e  1  s  t 
else  t 

where  rec  func  p  (Id*  x:  Arg*  y;  C  cp;  S  sp)  : 

begin  Ms<vblcck>  (e ' [ id  <-  p];cp’;sp’) 
where 

e'  =  func  (Id  :.)  :  if  =<i>  is.  Lab 

liSIl  1  £lse  ei:i>; 

CD  ’  =  func  (si): 

cp((spv[x  <-  si vf id  1 *> 1 , sli , si o) )  ; 

sd'  =  (ifidi*  <-  spfx>;  id2*  <-  y],spi,SDc) 

end 

From  *5.=“  definition  above,  it  is  clear  tha-^  we  can  us^  'he  second 
premise  -^o  deduce  -^h^  conclusion  only  if  th='  procedur*^  value  p  in 
'he  definition  has  the  desired  properties,  since  all  calls  to  'he 
Drocedure  from  within  pblock  not  referring  to  a  locally  declared 
procedure  are  defined  as  applications  of  p  by  the  mathematical 
m‘=anina  aiven  to  procedure  calls.  Thus,  the  main  'ask  of  'he 
proof  will  be  to  establish  that  p  has  the  desired  proper'ies. 

^nd,  since  p  is  defined  recursiv<=ly,  it  is  clear  tha'  a  f ixed 
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pcin-^  inductiop,  usinq  the  first  premise  of  the  rule  of 
i’' f- r -^nce ,  is  required  to  show  that  p  is,  in  fact,  ccriec*:. 

rule  of  infererce  for  procedure  declaia-^ior  s  is 

valid . 

Proof:  ^s  wi-^h  the  previous  proofs  of  rules  of  ir,  f -r  €  r  ce  ,  w  = 

beqir.  by  assuminq  •'■he  premisses 

(5.13)  {P}  id  (id  1*:  id?*)  (P,)  |-  (P)  vblock  {F} 

(5.14)  fP)  id  (id  1*  :  id?*)  pbl  ock  {F  ' } 

and  we  a-'-tempt  to  show  th~  conclusion  -^rue,  Her«^,  however. 


th=  premisses  are 

a  b  i'^ 

more 

complex  an 

d  r 

equire  a  bit 

mcr^ 

expla’^'aticn. 

We 

can 

r  e  w  r  i  * 

(5.13)  as 

"  it 

{ri  i'^  (id ''*:id?*) 

fP]  , 

•^h  en 

fP)  vblock 

{F} 

.11  ca  s-^  i ng  this 

row 

in  ^erms  of  cur  mathematical  in*erpr eta-'-ion  of  •^h‘='  axicma^ic 
formula,  we  hav= 

(5,15)  if  Vc  Vs  rP(^:s)  =>  Vs'  Vc  ris<{:id  (id  1*  :  id  2*)  >  (-;  c;  s) 

=  c(s')  =>  F  (e:s')  ], 

•^h  en 

VeVs  r‘^(e;s)  =>  Vs'Vc  Msf  vblock>  (e  ;  c  ;  s)  =  c(s') 

=  >  P  (e; s')  1 

Pu-^,  we  know  from  Chapter  tha- 

Msf  id  (id*  :vara*)  >  (e  ;  c;s)  = 
if  =^<id>  is  Prgc  Ihen 

if  Nctrn(varq*,  id*)  ghen 
if  Pi  s  t  i  n  c-^  (i  d  *)  i.hen 

111  e  =  ila  fvar  q*>  (e  ;  s) 
in  (value  a):  S'f  id>  (id  *  ;  a ;  c ;  s) 
else  1 
else  t 
else  t 

Thus,  from  (f.iti)  and  ■'■he  defini*ion  of  procedure  call,  we 

can  interpret  th‘=^  premisses  as  follows.  ''^or  ary  procedure 

valu-  p  €  ^rcc, 

('".  16)  if  Ve  Vs  r  P  (- :?)  => 

Vs'[¥c  p  (id  1  *  ;  baf  id  2*>  (a  ;  s)  ;  c ;  s)  =  c(s') 

=  >  F(p;s')  ]], 

■••hen  V^  VsrP(e;s)  => 

VsTVo  ^s^vblock>(e[  id<-p  1;  c;  s)  =  c(s') 

=  >  ^fe;s')  ]1, 
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since  all  procedure  calls  of  id  within  vblcck  will  be 

interpreted  as  evaluations  of  p,  given  the  math ^ mat ical 

definition  of  procedure  call.  Similarly,  we  can  produce 

(S, 17)  if  Ve  Vs  r  P  (e; s)  => 

VsTVc  p  (id  1*  ;  Ma<id2*>  (e  ;  s)  ;c:  s)  =  c(s') 

=  >  P(-;sM  11, 
then  ¥e  Vsf  P'  (e ;s)  => 

Vs’fVc  Msf pblock>  (e[ id<-p 1 ; c ; s)  =  c(s*) 

=  >  P*  (e;s')  11, 

‘c  interpret  the  meaning  of  the  second  premise.  J^.nd,  we  wish 

to  us^  these  premisses  to  show  the  conclusion 

(5,  IP)  Ve  Vs  [ P*  (P  ;5)  => 

Vs*rvc  procedure  id  (idl*  :  id2*)  ;  vblock;  pblock> 
(e;c;s)  =  c  (s ' )  =>  P'('5;s’)ll 

■Prom  (5,12),  we  have  (disregarding  error  cases,  for  which  *he 

conclusion  is  vacuously  true) ,  that 

I^cedur^  id(id1’f'  :  id2*)  vblock;  pblockk  (e ;  c ;  s)  = 
Ws<pblcck> (ef id<-p  l;c; s) 

'  £.73’’'  Yt  £  cp;  S  sp)  : 
tfuin  Msf  vMock>  (e '  [  id  <-  pl;cp*;sp') 
whf^rp 

e'  =  func  (Id  i) :  if  €fi>  is  Lab 
cp'  =  func (si) : 

cp((spv[x  <-  s'’vfidi*>l,s1i,s1o)); 
sp'  =  (tfidl’*'  <-  3pfx>;  id2*  <-  yl,spi,spc) 

end 

Pow,  to  show  tha*  ,  aiven  *he  premisses,  the  conclusion  is 
true  for 

Ksf pblock>  (er  id<-pl;c;s) 

we  will  define  -^he  seauence  of  functions 

x;  ?rg*  y;  C  cp;  S  sp)  :  b 

P^‘’''(Ifi*  x;  ^rg*  y;  C  cp ;  S  sp)  :  , 

begin  Ksf vblcck>  (e ' [ id  <-  p‘l;cp';sp') 
where 

e'  =  ^unc  (Id  i)  ;  pf  3i:i>  is  Lab  then  ei:id>  flcg 
cp '  =  33  : 

cp((spv[x  <-  s  1  vfid  1  *:M,  s  li ,  si  c)  )  ; 

SP*  =  (tfidl’*'  <-  spf:x>;  id2=^  <-  yl,spi,spo) 

end 
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and  use  fixed  point  induction  to  show  that  each  satisfies 


th^  preconditions  on  "^he  premisses  (5.16)  and  (5.11), 

t 

for  all  of  -^he  p‘  we  have 

(‘^.  1°)  Ve  Vs  [P  (e;s)  => 

fVs'  Vc  p‘  (  id  ^  ;  Me  f  i  d  2’<‘>  (e  ;  s)  ;  c  ;  s)  =  c  {s') 

=  >  F  (e  ;s)  11 

Th^n  can  use  (5.11)  to  establish  "^hat 

26)  Vc  Vs[P'  (e;s)  => 

Vs’  Msf pblcck> (ef id<-p*  1;c;s)  =  c(s') 

=  >  ^’  (e;s)  ]] 

is  rrue  for  each  of  *hA  formulas 

I 

Ms<pblock>  (er  id<-p  ^  ;  c;  s) 


1  .  C 


♦  r 


And,  since  the  meaning  of  the  nrocedure  declaration,  is  •'■he 
least  utip'cr  bound  of  *his  seouence  of  formulas  (disr  egar  d  ina 
error  cases),  -^his  will  allow  us  to  use  fixed  poin*  induc~ion 
to  conclusion  (5.  IB)  , 


s:  For  "^he  basis  step,  *h6  truth  of  (5,19)  follows  directly 
from  lemma  5,1  and  -^he  fac^  -^hat  po  is  rhe  royally  undefined 
function.  Thus  the  precondition  of  (5.1i)  is  satisfied  by 
po,  and  '■he  conclusion  (5.2C)  fellows  imm e d ia ^l y . 


•  Assume  (5.19)  is  -^rue  for  p^.  Now,  we  want  to  use 
(5,19),  (*^,16),  and  (5.11)  derive  the  conclusion,  and  w^ 

can  do  sc  as  follows. 


Assume  the  hypo-^hesf 

=  s  (5,16) 

and  (5.11). 

To 

prove 

conclusion  (5,20)  is 

true,  ve 

first  prove 

the 

following 

lemma,  es*ablishina  -i-hc  properties  of  p'"*'!. 

I^mma  5_j_6  :  If  line  (5.16)  is  true,  then  the  fcllowinq  is  also 

true 
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If  ¥e  ¥s  P(e;s)  =>  ¥s'  ¥c  p  (id  1  *  ;  Maf  id2*>  (e ;  s)  ;  c  ;  s) 
c(s')  =>  P(e;s'),  then 

¥e  ¥£  P(e;s)  =>  ¥£  ’  ¥c  Msi[vblock>  {e '[  id<-p  ]  ;cp' 

Cp  »  (s»)  =>  p  (.Cl  ;  sH) 


where 


“  fiLUC  (Id  i)  :  if  ^fi^*  is  Lab 
cp '  =  f unc  (s 1 )  : 

c((spv[x  <-  s  1  vfid  1  *>  ] ,  si  ir  si  c) )  ; 
sp'  =  (tfidl’!'  <-  £p<x>;  id2*  <-  y],spi,£pc) 


;sp' ) 


This  will  allow  us  to  establish  -he  properties  of  which 

we  will  use  to  complete  the  inductive  step, 
obvious  that 

P(e;s)  <=>  P  (e’f  id<-p];sp'  ])  / 

since  P  only  refers  -^o  -he  arauments  to  the  procedure  (idl* 
and  id2*)  and  th=>  input  and  output  files.  Moreover,  in  any 
c  a  s  "  h  a  + 

Ms<vblock> (e*[  id<-p];cp’ ;sp') 

produces  a  non-er roneous  rcsul-^,  i*:  is  clear  tha-^  :t  must 
produce  th=='  same  resul-^  as 

Msf vblock>  (ef id<-p];cp’ ;s) 
since  for  all  identifiei-£ 

e''fid>  =  e<id>  or  e'<i<^h  =  If  atd 
sp*vfid>  =  svf:d>  or  sp'vi[id>  = 

Thus,  if 

Msfvblock>  (e T id<-p]  ;cp' ;sp' )  =  cp'(s"), 

then 

Msf  vblockXel' id<-p  ];  c;  s)  =  c(s') 
and  s'  =  s".  z^nd,  if  we  have  P  (9[  id<-p  ];s ')  ,  we  also  have 
?r  a '  f  id<-p  ];  s”)  ,  since  again  R  may  only  refer  to  -^he 
identifiers  idl*  and  id2*  as  well  as  the  input  and  output 
f iles . 

O^P.P.  l=mma  5.6. 
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Now,  from  lemma  5.6,  we  can  derive  that  (5.19)  implies  *ha-^ 

(5.21)  ¥e  VsrP(<5;s)  =>  VsTVc  p  ‘  +  i  (i  d'!  *  ;  <3  2*>  (^ ;  s )  ;  c;  s)  = 

c(s')  =>  F  fe;s')  -J], 

Here  i-^  is  of  par‘*‘icular  importance  that  ^  and  F  r-f<=r  only 
o  th‘=‘  oarameters  of  the  procedure,  since  otherwis<^  th-  tru*h 
of  P(e;s)  would  rot  be  enough  to  guaran‘*'ee  the  tru‘h  of 


Pfe;sp’).  Finally, 

from  (5,21)  , 

w  e 

have  e 

stab  listed  -ha- 

• 

pi+i  has  -he 

desi 

red  properti 

es , 

using 

cnly  hypothesis 

( "^ ,  '1 6)  .  Pu-^  we 

can 

imme  dia^ ely 

us- 

(5.  17) 

with.  p'-+i  to 

establish  (5. 20),  the  desired  resul*. 

■^hus,  by  arplyirq  fixed  point  induction,  -"he  conclusion  (5.  IF)  fs 
nu~.  And  thus  the  -^h^orem  is  true. 

Q.F.D  ■^hecrem  5.5. 

Th*^  final  proof  in  this  section  is  tha-^^  of  -he  consistency  of 
-he  trocedur‘=  call  rule  of  inference 

fP)  idfy*:y*)  fF] 

fF<a=!'/x*,  e*/y*>}  id(a*:e’!')  fF<a*/x*,  e*/y*>} 

The  rule  of  inference  for  procedure  calls  is  valid. 

2I29.Z'  Py  premise,  have 

¥srP(e;s)  =>  r¥s’  ¥c  N  s^id  (id  1 ’i' :  i  d  2 ’i=)  Ih  ( -  1  c ;  s)  =  c  (s  ' ) 
=>  P  (e  ;s)  1  ] 

Also,  from  the  mathematical  definition  of  orocedure  call  in¬ 
ch  a  p'^er  H,  we  have 

Hsf id (id* : va rq*) > (e ; c; s)  = 
if  efid>  is  Proc  then 

if  NotTn(Vcra*,  id*)  then 
if  Distinct  (id*)  then 

hi  s  =  Mai:var  q*>  (e  ;  s) 
in  (value  a):  efid>(id*;a;c;s) 
else  - 
else  t 
else  t 
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From  -this  we  know  that  the  procedure  call  in  the  premise  is 
erron‘=ouE  in  the  fcllcwirq  casps: 

.  ‘=fid>  is  not  a  procedure  value.  But  then,  for  the  same 
vironment ,  the  m^^anino  of 

F sf  i  d  (a  * :  e  * )  k  (s ;  c ;  s ) 

would  also  he  t,  and  by  lemma  5,1,  the  conclusion  would 
vacuously  true. 

2.  +he  X*  are  nc^.  distinct  identifiers.  If  -^his  is  true, 

•^hen  the  substitution  F<e*/x*>  is  not  well-defined  and 
again  the  ccnclusicn  is  vacuously  true.  The  conclusion 
is  also  vacucusly  true  in  the  case  that  -he  y* 

identifiers  ere  not  distinct,  since  again  the 
subst  it  u-*- ion  in  the  conclusion  is  not  well-defined, 

3.  Some  of  y*  identifiers  appear  in  the  x*  list.  Put 

-gain,  the  substituticn 

P<a*/x*,  e*/y*> 

is  net  well-defined  and  again  the  conclusion  is 

vacuously  true,  i,e,,  for  no  e  and  s  is 

Ii:p<e*/x*,  e*/y*>>(e;s)  =  true. 

So  ve  ne=d  only  consider  t^at  case  where 

ws<i  d  (X*  :  y*>  (e  ;  c  ;  s)  =  ef  id  >(x=^  ;  Mafy*>  (e ;  s)  ;  c  ;  s) 

and  us=  premise 

(5.  22)  Ve  Vs  P  (e  ;s)  => 

Vs'  Vc  «=fid>  (x*:  Kafy*>  (e;  s)  ;  c;  s)  =  c(s')  => 

F  (^;s') 

wh^r*^  w=  also  know  that  +he  only  variables  changed  by  -jic 
procedure  are  its  variable  arouments  and  the  input  and  output 
files,  and  that  P  and  F  only  refer  to  x*,  y*,  and  the  input 
and  output  files  (this  comes  from  the  assumption.  placed  on 
th=  procedure  declaration  rul?). 


-129- 


Th=  structure  of  the  proof  will  be  similar  to  that  of  the 
proof  of  the  cor.sistency  cf  the  rule  cf  irfererce  for 
variable  declara-^  icr  s  given  earlier: 

1.  We  will  defire  a  n^w  state  s+  such  that 

(P<a*/x*,  e*/y*>)(e;s)  <=>  P(e;s  +  ). 

2.  Then,  we  will  defire  a  new  continuation  c+,  cf  "he  form 
c*f,  such  thar  we  can  use 

^si;id(x*:y*)  >(e;c‘’‘;s-’') 

"o  "simulate'* 

f  sf  id  (a*;e*)>(e;c;s)  . 

3.  tnd,  finally,  we  will  shew  that  th a  truth  cf  "he  pest- 
condition  of  •'•he  premise  implies  the  truth  cf  the  pcst- 
cerditior  of  •'■he  conclusion  from  the  form  cf  c-*-  and  s-*-. 

New,  we  begin  by  defining  s^'’  as 

s-*-  =  sf  x*<-svpe  *>;  y  *<-Na<e*>  (e  ;  s)  1 
where  we  are  dust  changing  the  x*  and  y^^*  variables  tc  have 
"he  values  of  the  a*  variables  and  the  e*  expressions.  It  is 
clear  tha-t- 

(P<a’!‘/x*,  e*/y*>)  (e;s)  <=>  ^^(e;s•^), 

since  the  only  id<=ntiflers  that  can  appear  in  P  (cr  F)  ar<^ 
X*,  y*,  and  "he  input  and  output  files.  Now,  we  define  c*-  as 
c^*"  =  func  (si)  :c  (sir  x*<-svfx’*'>;  y ’!‘<-svf y*:^ ;  a*<-slvfx->l) 
rss<^r."ially,  c*-  applies  c  after  first: 

1,  restoring  th<=  values  cf  th'='  x*  and  y*  variables  to  the 
original  valu«=s  they  had  in  "he  ini"ial  sta"e  s,  and 

2,  placing  "h<=  current  values  cf  -he  x*  variables  ("h^^ 
variable  par ame-'-ers)  in  a*. 
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Note  that,  since  a*  ani  x*  may  be  the  same,  we  first  restore 
the  old  values  and  then  assign  the  new  values  of  the  resui" 
Darameters.  Th®  following  lemma  establishes  the  use  of  s+ 
and  c-*-  to  simulate  the  effect  of  the  procedure  call 
id  (a*  :  <=*)  , 

Lfmma  5_^2  *  Assume  that 

1,  e^id>  (x* ; arg* ; c ; s)  =  c(s')  implies  that  ¥id  not  in  x*, 
svfid>  =  s'v<id>,  i.e,  *hat  efid^  changes  only  its 
variable  parameters,  and 

2.  if  s1vfx*>  =  s2vf7*>,  and  sli  =  s2i,  and  sic  =  s2o,  then 

ei:id>  (X* ;  ar  g*;  c  ;  s1\  =  c(s1')  iff 
ei:id>  (z*  ;arg*;c  '  ;  s2)  =  c'(s2*)  and 
s1’vfx*>  =  s2'vi:z*>,  si'i  =  s2'i,  and  s1*o  =  s2’o, 
i.e,,  if  two  states  agree  for  the  variable  arguments  and 
input  and  cu-^put  files,  efid>  produces  results  tha* 
aare^:^  (the  remaining  variables  are  irrelevant  «=<id>)  , 
'^o-*-e  that  -^hese  two  restrictions  are  satisfied  by  all  of 
the  procedure  values  formed  by  procedure  d‘=claration  in 
■^he  PA9CAI  subse*.  Then,  if  these  assumptions  are  true, 
<='<id>(x*  ;  Na^y  *>  (e ;  s+)  ;c+ ;  s+)  = 

ei:id>  (a*;  Na<e*>  (e;  s)  ;  c;  s)  , 

2l.2£l-  First,  i-^  is  clear  +ha* 

f!afy*>(e;s+)  =  Nai:e*>(e;s) 

from  ^-he  defini'^icn  of  s’*".  Thus  :^rom  "^he  second  premise  of 
th'=  lemma,  we  have 

«=i;id>  (x*  ;  Mafy*>  (e  ;  S'*-)  ;  c+ ;  s+)  =  c+(3')  iff 

ei:id>  (a*  ;  Naf  e*>  (  a;  s)  ;c;  s)  =  c(s”),  where 

1 .  s  '  i  =  s ”i  , 

2.  s’o  =  s'’o,  and 

3.  s’v<x*>  =  s''vi:a*>. 

And,  from  the  first  premise  of  the  lemma  and  the  definition 
of  c+ ,  it  is  clear  tha*:  c‘*‘(s')  =  c{s''), 

0  ,  D.  lemma  .  7 . 


Finally,  we  can  deduc'=  the  tru'*-h  of  th^  conclusion,  and  thus 
•^he  tru^h  of  the  theorem,  from  lemma  5."'  by  assuming  F(e;s'*') 
(or  (P<a*/x*,  (e:s)),  from  which  we  have 
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e'fid>  (X*;  Mafy*>(fr  ;£+)  ;c+ ;s+)  =  c+(s’)  =  c(s")  = 
ei:id>(a=<';Mai:e’«'>(e;s)  ;c;s)  , 


and  R  (<=  ;  s  ’ ) 

from 

the  premise 

.  f^rom  the  arguraen-‘^ 

qiver  above 

■'■c  show  the 

lemma 

and  •‘■he 

fact  tha^‘:  the  e* 

contain  nc 

occurrences 

of  any 

of  -^h®  a*. 

is  clear  tha-^: 

P(‘5;s')  <=>  (R<a*/x*,  e* /y*>)  (a ;  s")  , 

thus  establishing  the  corclusicn  and  the  theorem. 

Q  .  E.  t .  -theorem  5,6. 

Th=  •'^inal  rule  cf  infer^^nce  for  procedures  is  •^he  rule  of 
in va  r i ance 

id(id1:  =  >  {?} 

and  0)  id(id1:e)  {?  and  0} 

where  0  contains  no  fre'^  occurrences  O'f^  any  member  cf  id  1  or  •‘■h‘= 

inpu”  or  outpu*  files  if  r'^ferences  to  them  occur  in  H.  Given 

our  mrev'ous  discussion  cf  procedures  in  *h-  PASC^-.L  subs-t,  *his 
rul^  of  inference  is  obviously  valid,  so  we  cnly  sketch  the  proof 
of  it'=^  validity  below, 

1,  Pssum=  (P  and  Q)  (e;s)  for  seme  p  and  s.  From  thp 

definition  of  I,  •‘■his  also  implies  ?(e;s). 

2.  Given  P(e;s)  we  can  apply  the  hypothesis  of  the  rule  of 

inference  -‘■o  deduce  ■'■hat  -^he  procedure  call  produces 
F(e;s’)  for  every  final  state  s'.  Now,  rem  “he 

Droper‘‘^ies  of  procpdures  and  the  fact  tha-‘:  0  cen'^ains  nc 
fr^e  occurrences  of  any  of  the  idl  variables  or  th'= 
input  and  ou-'-put  files  if  references  to  them  appear  in 
F,  it  is  cl  =  ar  tha-^ 

0  (<=;  s)  <=>  0  (e  ;  s' )  , 
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since  we  have  assumed  Q(e;s)  above,  we  have 

0  (e;  s  • 

3.  ■p’inally,  from  the  definition  if  I,  we  have  Q(e;s')  and 
F(e;s')  implies  (Q  and  F)  (e;s').  '^hus  the  conclusion  is 
"^rue . 

5  .  .  3  Completing  the  £rgof  of  consists  ncy 

In  -he  previous  sections,  we  gave  ra-.her  complete  and 
de-ailed  proofs  of  "^he  consist'^ncy  of  -h^  mathematical  and 
cxiomanic  definitions  of  certain  constructs  :n  -he  SCAI  subse-. 


In  ~ht‘=  section,  we 

ccmpl et e 

the  proof 

of 

consistency  for 

the  the 

def*nition  of  *1.0 

e  nt  i  re 

lanouage 

by 

giving  proofs 

cf  -  he 

validi-y  cf  each  cf  the  remaining  axiomatic  rul=E.  However,  as 
they  are  all  rather  simnle  ,  bu-^  tedious,  to  prove,  we  give  ■^h<=- 
orcofs  in  rather  less  detail.  In  particular,  th<=  many  induc-.ions 
necessary  will  only  be  described,  and  not  performed. 

3  .  5.  3  .  1  ^tray  Hi 

Ih^  axiom  for  array  assignmen"^  is 

{F<(ar  j<-il)/a>}  a[i]  :=  j  {H} 

■^or  anv  assertion  ?. 

111^2111!!  Che  axiom  of  array  assignments  is  yalid. 

ZZ22l  •  cur  interpretation  of  th'^  axicma-ic  formulas,  we 

r '=auir  e 

Ve  Vs  <?r  (a[  j<-i]) /a>)  (e  ;  s)  => 

Vs'  r Vc  Ksfaf i  1: =i> (e;c; s)  =  c(s')  ]  => 

?(e;s')  Tl 

■'^rom  ii.4.5.3,  w^  haye 
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Ws<id[exp11  :=  exp2>(e;c;s)  = 
let  v1  =  M£i^expi>  (e ; £)  to  Tnp; 
v2  =  fexp2>  (e  ;  s) 

in  (mlnn  v1,v2)  : 
if  £vfia>  is 

c  (sf  id  (v'l)  <-  v2  ]) 

olse  * 

So,  if  f^sfaf  i  ]:  =  i>  (e  ;c;s)  =  c(s')f  th9P  by  lemma  *^,1  we  krov 
a  t : 

1.  l)r  -r.d 

2*  *  i  (cr  t )  . 

And,  i+  is  clear  -^.hat 

(5,23^  s’  =  sf  a  (f  ff  i>  (e  ;  s)  Int)  <-  (e  ;  s)  ], 

Similar  to  "^he  proof  for  simple  assignment,  "^he  •^.hecrem  is 

proven  from  the  fcllowinq  stronger  lemma, 

irnmn  -r  i  ^  J^xp,  a  e  Id,  A.st, 

(P<(arj<-i>)/al)  (^;s)  =  F(e;s'), 
wh'=‘r<=  s'  is  defined  in  (5.23)  . 


Proo  f : 

A  oai 

n  by  structural  induction  on 

0 . D. 

*h  "-ore 

m  5.7, 

5 3.2 

The 

emply  statemen* 

The 

rule 

for  *he  null  s-^atement  is 

(PI 

null  {PI 

for  a  n  V 

a  sser 

t  i  0  n  ^ . 

Theorem 

5.  8: 

The  axiom  for  *he  null  sta-^emeni:  is  valid. 

p  —  0^  * 

Th^^ 

ma*hema-^ical  mean  ircr  of  the  null  sta-emen* 

i  n 

ti ,  4.  5.  3  is 

bsfn ull>  (* ; c  :  s)  =  c  (s)  , 

and  from  our  in* erpreta-*-ion  of  axiomanic  formulas,  tie  rule 
of  inference  is  obviously  valid. 
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5. 5.  3. 3  The  simple  read 


The  axiom  for  the  simple  read  statement  was 

(115*  f2l  22^  CHn} 

uM  1 1  in) /lUf  lin'*’ viin^} 

for  arv  assertion  P, 

lif2I2I!l  The  axiom  for  simple  read  staoements  is  valid, 

Zn22f *  From  ^.4.5.3,  We  have 

Ms-fread  id>(e;c;s)  = 
if  si  is  Fa  10  then  t 
line  bepin 

if  sv<id>  is  Val  phen 
c  (s') 

whf^re  s'  =  (3v[  id  <-  hd  (si)  %  ti(si),  so) 

else  t 
end 

Similar  to  the  wripe  sratemer.-^,  th^  theorem  can  be  proven  by 
nsina  the  strcr.a-r  l<=mma. 

Ifmma  For  any  F  P  ?.st,  id  €  "^d, 

-1^221  22l  iil§.  ^<in  fiin) (^;s)  = 

TfF<  (id  I  I  in)  /in  ,  lin  +  1 /*ir>>  (e  ;( sv[  i  d<-hd  (si  )] ,  tl(si),  sc)) 
'2120.-'  -aain  by  s-*-ruc-ural  inducoion  on  F, 


",s,3,a  ^rrav  elemen-^  read  sta-^em-nt 


The  axiom  of  the  array  elemer.-^  read  statement  is 

{n2i  22i  22^  P<  (id[  ■=xp<-in  {»in}  ]/id'>} 

read  idrexo]  {P< idf e xp  ]  |  | in) /in ,  iin+1/4in>} 


Thforfm  rule  for  arrav  elom^n-  read  s-^a-^em^^r.t  s  is 

valid. 


T^rocf:  As  for  theorems  5,5  and  5.9. 


5.!^. 3,=^  The  cond:/-ional  sta-^emen* 


The  rul^^  of  inference  for  the  conditional  statement  is 
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fP  and  b}  sti  {P}  ,  fP  and  nob  b}  st2  {P} 


{P}  if  b  bb^n  sbl  f.lse  sb2  fi  {P} 


The  rule  of  inferenc^^  for  conditional  s-^ateirent s  is 

valid  . 

•  The  validity  of  the  rule  follows  directly  from  a  case 
analysis  of  the  possible  values  of  Mefb>(e;s)  and  the  fact- 
that  th-  condi-^ iona  1  used  in  +:he  mathematical  definition  is 
dcubly  strict  cn  i^s  argument. 


5,^. 3.6  The  for  sta-i-em^r.t 


The  rule  of  inference  for  the  fcr  statement  is 

fa<r<b  and  P<x-''/x>}  st  {P} 


fP<a-l/id>  and  b<a  im^lifs  P<b/x>}  for  x:=a  to  b  do  st  cd  fP<b/I> 
where  variables  in  a  and  b  do  no*  occur  fr<=e  in  s":. 


Th=  rul‘=  of  inference  for  for  sta-^em'^nts  is  valid, 
£222£  •  Again,  by  fixed  point  indue*-,  ion .  ■p’rom  U.4.5,3,  *hp 
definl-'-ion  of  for  i s 

Nsffor  id  :=  exp1  ~c  exp2  do  stmt  od>(e;c;s)  = 
lil  =  Wefexp1>  (e  ;s)  i;c  Int; 
v2  =  ^ef exp2>  (e : s)  tc  Tnt 

•  ^ 

—  ii  I 

(value  v1,v2);  b^gin  iterate  (s[  id  <-  v1  ]) 
where 

rec  fu^c  i-‘:era'*-e  (S  s'’)  : 

b^o2_n  ! 

if  sl<(v>  >  v2  ^hen  c(s1[id  <-  u]) 
else 

Ys<s''-mt>  (e;  c”  ;  si) 

whfre  c"  =  £222(^2)  :itera-‘-e  (s2r  id  <-s2  v<id>+ ] 

end 

end 

and  w^  are  given  ■'■he  premise 

{a<x<b  and  P<x-''/x>}  st  {P}  . 
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Usinq  our  interpretaticr  of  axiomatic  formulas  and 

definition  given  above,  we  wist  to  show 

(P<a-1/id>  and  b<a  implies  P<b/x>)  (e;s)  => 

¥s'  [¥c  iterate  ( (s[  X  <-  Mef  a>  (e ;  s)  ])  =  c(£')  => 
(P<b/x>)  (e;s') 

bv  induc+-ion  on  the  sequence  of  functions  iterate  As  wi'^h 
+he  previous  proofs,  the  basis  step  follows  immediately  from 
l  =  mma  f.1.  And,  -^he  induction  step  is  clear  if  we  view  the 
it-rat“*  as  i+era-*- ion  s  producing  b  if  more  than  i  s-^eps  are 
required. 

5,5.3."^  Statement 

The  rule  of  inference  for  compound  statements  is 
fP}  st1  (0),  {Q}  st2  {?) 

(P)  sti;  st2  fF} 

rule  of  inference  for  statem^r.-^  seauerc-s  is 

valid  . 

•  ■p’rom  -"he  definition  of  the  mathema*  1  cal  mf^anrng  of 

compound  statements  in  as 

l^sf  St  1 ;  st  2>  (e  ;  c;  s)  = 

Ms<st1>  (e  2>  :c)  ;  s) 

and  the  interpretation  of  axiomatic  formulas,  the  theorem  is 
obvious. 

5. 5. 3. 8  2222222^  222l2222l2 

The  rul«e  of  inference  for  compound  s'", a -^em-nts  is 
stm-^.  [F] 

^12222  stmt  end  fF1 

!I!-222f2  The  rule  of  inference  for  compound  statements  is 

valid  . 


-137- 


Proof  : 


Again , 


obv ious 


from  the  mathematical  meanings  of 


axiomatic  formulas  and  compound  statements  (begin  and  end 
have  no  semantic  effec-*-). 

5  ,  ^  llbe  1  ile cl ar a+ion s 

The  rule  of  inference  for  label  declarations  is 

fP)  stmt  {P}  2cto  1  {false}  |-  {P»}  Iblock  {R*} 

{PM  ishel  1:  stmt;  Iblock  {R’} 

rule  inference  for  label  declarations  is 

valid . 

P222I  •  F-member  -^hat  “^he  ma he  ma* ical  m'^aning  aiven  "^o  label 
declarer i on.s  vas 

Msflabel  id:  stm-^:  lblock>  (e  ;  c ;  s)  = 
let  c'  =  f^sf st  mt>  (e ; c) 
in  Iblock >  (er  id  <-c '  1;  c;  s[  id<--  ]) 

Firsr,  we  note  that  the  premis<=^ 

{P}  2222  ffals‘=r} 

is  valid  for  anv  T,  since  the  meaning  funciicn  fcr  ao-^o 
sta-^eraenrs  does  not  involve  application  of  th^*  normal 
continuation.  Now,  le* 

c •  =  M5<s‘ mt >  (e ; c) 

It  is  clear  -^het  if  we  have 

fP}  stm-_  fF']/ 

tb‘=^n  wc  also  have 

Ve  ¥s  rP(e;s)  =>  3o;|;^c  id>(e[id<-c’];c:s)  =  c’(-’)  =  c(s*' 

=>  F  '  (‘";s')  ] 

sc  that  if  the  body  of  the  lab*:^!  block  -erminates  abnormally 
by  oerfermina  a  ac^o  -^0  *hs  label,  -^.hen  P'  is  true  of  *he 
final  state  produced.  And,  since  we  know  that  this  implies 

fPM  Iblcck  {R'} 
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•th=n  the  conclusion  of  the  rule  of  inference  is  clearly  frue. 
O.F.r.  theorem  5.15, 

'^.5,  3.  1C  The  rule  cf  corseouercf 

The  rule  of  consequence  states  tha*  if  P  ijE^lifs  P  and 
-  Of  then 

s^mt  fS} 
f^1  stmt  {0}. 

Theor-^m  5.16:  The  rul^^  of  consequence  is  valid. 


?  roof : 


Immediate  from  the  definition  of  the  semar.-^ics  o 


assertions  and  the  in terpr‘=t a-^i cn  of  stmt  {S}  . 


In  the  precedinq  dev'^lcpmen-^ ,  v<=^  have  us<=d  a  Icoical  system 
in  which  cnlv  £*a-^emer.'^  s  of  partial  correctness  may  be  made,  in 
this  section,  we  indicate  how  th-  argument  changes  wh=n  we 
consider  a  system  in  which  the  Icqical  formulas  indicate  *o*al, 
rather  than  partial,  ccrrectress.  To  do  so,  give  a  -rea*m-nt 
cf  rijkstra's  predica*-‘=  transformers  [l'^''3]  similar  c  that  aiven 
to  the  axiomatic  formulas  in  sec*ion  5.u, 

The  formulas  in  *his  system  ar*:^  of  the  form  wp(5,F)  ,  and  ar-^ 
in*-ernret'=d  as  "wp(S,F)  is  -^-h-  weakest  pre-ccndi-^ ior  such  *hat 
th*^  sta '•.e men S  terminates  and  produces  a  final  sta*=  satisfyinq 
? .  "  "^his  is  similar  to  th*:^  axiomatic  formula 

fwp(£,P)l  S  {R}, 

except  -^hat  i-^  can  be  used  to  express  the  to-^.al  correctn-ss  of  S. 
Just  as  we  interpreted  th<^  axioma'^ic  formula  as  a  statement  about 


_  1  3  Q_ 


•^he  mat}' emat ical  model,  we  can  give  an  interpretation  of  the 
w^^akes-^  pre-condition  in  tf=rms  of  our  mathematical  model.  The 
ir.-^^rpre-^a tior  contains  two  parts: 

1,  'ha*  WD  (S,P)  guarantees  S  produces  a  final  sta'e  for 
which  F  is  true,  and 

2,  than  wp(S,F)  is  the  weakest  precondition  with  rhis 
property, 

wt:(S,F)  is  eguivalent  to 

¥e  Vsrwp(S,F)  (e;s)  =>  TBs'  Vc  ^si:s>  (e;c;s)  =  c(s')  and  P  (e ;  s » )  ] 
and  ¥p  [p(e:s)  =>  fas'  ¥c  Msf?>(e;c;s)  =  c(s')  and  ^(e;s' 

=  >  r  Ve  ¥s  p(e;s)  =>  wp(S,?.)  (e;s)  ]] 

Since  we  only  interested  in  the  total  correctness  proper'^y  of 

predicate  transformers,  we  will  use  only  the  first  parr  of  this 

formula  as  the  meanina  of  WD(S,n)  to  simplify  the  rresentation  "^o 

t ollow . 

In  r  ''9’^3‘|,  Diike*ra  defines  "healthy"  predicate  -ranstcrmers 
=>  s  ^hose  transformers  wp  sa-^isfying  -he  following  four 
properties : 

1.  P=>0  implies  wp  (  S  ,  P)  =>wp  (S  ,Q)  , 

2.  wp(S, false)  =  false 

3.  wd(S,P  and  Q)  =  wp(S,P)  and  wp(S,Q) 

4.  wp(S,P  or  0)  =  wpfS,’=)  or  wp(S,Q), 

Wc--  first  show  tha-^  *hese  properties  can  be  proven  as  -heor'^ms 

about  our  in-^erpr elation  of  predica-.e  -transformers.  We  then 

d-^scuss  -^he  effec-^  -^.his  interpretation  of  Icgical  formulas  would 

hav=^  on  an  axicma-ic  defini-'-ion  of  the  PASCAL  subset, 

JT  •  P=>0  implies  wp  (S,  P)  =>wp  (S  ,  Q)  , 

£222 f  ‘  Assume  p  =  >0.  From  -he  definition  of  wp,  we  have 

¥e  ¥sr  WP  (S,P)  (e;s)  =>  [ds '[  ¥cr  MsfSXe;  c;  s)  =  c(s')l 
and  P  (e  ;  s  M  1 
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and 


V=  Vsrwp(S,Q)  =>  rasT^cr  Msi:S>(e;c;s)  =  c(s')  ] 
and  0  (e;  s  ')  1  ] 


Bu-,  sinc^  ■P=>Qr  we  hav<= 


¥  = 

1 

^sr  wp  (S,P)  (e;s)  =>  f3  s  '  f  ¥crisf  S>(e 

;  c 

;  s) 

zr 

c  ( 

and  Q  (e;s«)  I] 

Th 

erefor^:’,  wp(S,P)  =>  wp(S,0) 

• 

0> 

D, 

-heorem  5.16, 

S’  Vi 

m 

5,19:  wp(S, false)  =  false 

• 

Prc'^ 

f : 

Obvious  from  -^he  interpr 

e  t  a  t 

i  on 

of 

wp , 

^h^-or  = 

m 

5.19:  wpfS.P  and  0)  =  wp ( 

F,P) 

and 

w 

P(S, 

Q) 

« 

P  r  00 

f  : 

From  ■’rhe  definition  of  w 

F.  i 

—  s 

c 

lear 

ha 

Ve 

¥srwp(S,P)  (e;s)  and  wp(S,0 

)  (-; 

s)  = 

> 

r33'r¥c  MsfS^  ;c:s)  =  c 

(s’) 

1  in 

d 

(e  ;s)  and  0  (e  ;s)  ) 

11, 

an 

d 

•’■he  •’■hecrem  fellows  direc 

‘ly 

from 

t 

his. 

■"heo 

^  £ 

m 

5,2'!':  wp(S,0)  or  wp(S,P) 

=  wp 

(3,P 

0 

n  Q) 

• 

^rco 

e  . 

L.  * 

Similar  5. 19. 

No 

•^e  •’:hat  ■’■he  previous  ■’■heor 

«'tms 

guar 

an 

ee 

^,h 

-  ran 

C  f 

ormer  satisfying  the  giv^n 

in  ts 

r  qre 

ta 

ti  0  n 

( 

1  •  ’ 

-  w  C. 

0-^ 

■al  correc-’-ness  property  0 

f  a 

cons 

tr 

uc’:) 

c- 

3.V 

no 

w 

use  cur  in’’^  erpret  at  ion 

of 

pre 

di 

ca-’^e 

t  ri 

'=>  xam 

in 

e 

“he  differences  bet we 

en 

r»i  jv 

0  - 

ra  ’  s 

sv, 

axio 

m  a 

4.  • 

.c  definitions  used  in  Cha 

pter 

Q, 

he  m 

a  i 

0  r 

:ing 


•^.ha-"  pr*^- ccn  it  ion ,  as  well  as  assuring  rhe  desir-'d  property 

th-  f:ral  state,  also  assures  that  ’’nothing  can  ac  wrona.  " 
'"h=-  in-^^restinq  aspect  ot  this  guarantee  is  th^-  number  of 
ncssi bili*ies  which  must  be  covered  in  a  language  like  *h'^  P^iSCAI 
suhse-’-,  even  for  ccns-’rructs  which  seem  guaranteed  to  termirat=^. 
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"For  example,  consider  the  simple  assignment  statement  defined 
in  Chanter  4,  Diikstra  defines  assignment  by 

wp(x:=a,  P)  =  R<a/x>, 

similar  to  rhe  definition  used  in  Chapter  4,  This  seems 

r^'asor.able,  since  assianmen*^  stat«=ments  always  terminate. 

However,  in  th'^  PASCAL  subset  definition  of  4,4,  5.3,  we  note 

-ha-^  the  meanina  function  for  x:  =  a  may  produce  t  (or  even  bi), 

‘hus  maVina  -^he  interpretation  given  above  false  by  lemma  5,”',  in 
several  wavs; 

T ,  X  may  be  undeclared,  or  declar'^d  as  an  array,  or 

2 .  a  may  be  syntactically  valid ,  bu-  sema  n' ically 

"meaningless,”,  e.g,  ,  a  may  have  the  form  1  +  -^rue,  or 

3,  a  may  call  a  function  which  loops  infinit-ly  or  is 
■=  trcn  ecus. 

fhus,  if  we  were  de-^ine  "^he  PASCJ.L  subs?*  usina  Dredica*e 

'■  ransf ormers ,  it  would  be  necessary  either; 

include  in  ■*:he  pre -ccnd  iti  on  appropriate  checks  -^o 
guarantee  that  such  cor.di'^ions  as  we  described  above  did 
no*  occur,  or 

2.  *0  change  *h'=  interpretation  of  predicate  -ransfcrmers 

so  that  they  would  define  total  correctness  relativ-  -^.c 
*h<=  correctness  of  any  component  exnressions, 

^gth  involve  a  good  deal  of  complication,  -ither  in  th^-  rules  of 
inference  or  Inrerpret aticn. 


One 

can 

guest 

ion  wh 

ether 

such  added  compl 

ex i t y  IS 

iustif i€  d , 

since  i * 

seem 

s  t  h  a 

t  the 

nation  of  most 

proor-a  m  s 

is  clear 

■^rom  an 

info 

rmal 

examination 

O'*"  a  few  pieces 

of  code 

(se<=  r  Sitps 

1  974  ])  . 

One 

of 

t  he 

m  a  dor 

advantages  of 

He  a  re  ’  s 

a  xioma*i c 
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EDprcach  may  be  its  abili-'-y  to  sweep  these  relatively 
ur  ir.t  ^res-^ina  possibilities  under  the  rug,  w<^  now  •^urr.  •^.o  an 
analysis  of  PASC.^L  in  terms  of  th=  semantic  definitions  of 
Chanter 
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Chapter  6 

Extensions  to  the  PASCEl  Subset  language 


6  .  1  t  ion 

One  of  the  iticr'=  common  pastimes  of  programmers  is  to  ponder 
-he  wavs  in  which  their  favcuri-^e  programming  language  could  be 
ex-^endi^d  -^o  provide  all  of  -he  bells  and  whistles  they  would  just 
love  -o  have,  in  this  chapter,  we  will  indulge  in  this  familiar 
game,  bu-^  from  a  sliahtly  different  viewpoint.  We  will  discuss 
-hree  areas  in  which  the  PASCAL  subse-  defined  in  Chapter  U  cculd 
be  extended:  allowing  olobal  variables  to  be  referenced  in 
procedures,  providing  "escape"  jumps  from  procedures  and 
func-ions,  and  passing  array  elements  as  variable  arguments  to 
procedures.  The  object  of  the  discussion  will  be  to  show  that 
some  of  ^he  restrictions  placed  on  PASCAL  subset  proarams  in 
Chapter  were  based  cr  certain  inherent  limi-ta-ions  cf  the 
'"a-hema-tical  model  used,  end  that  -o  ex-end  our  subse-  to  -he 
tull  ■'^ASCAL  lanauage  require?  a  mere  "powerful"  model  to  give 
accura-e,  intuitive  defini-ions.  We  will  also  sketch  how  a  more 
accura’te  -reatment  of  PASCAL  type-  and  r ange-chsekin g  cculd  be 
qi ven . 

Ve  first  introduce  the  "standard"  raathema-ica 1  model  used  in 
[Milr.e  197U,  Tennent  1973a,  Scott  and  Strachey  19721.  Using  this 
semar.-tic  model,  we  first  aive  a  new  definition  cf  -he  PASCA.L 
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at  her 


subset,  in  which  a  "call-by-ref er ence”  rather  than  "call-by- 
valne/result”  ir. t erpre'^at  icn  of  variable  paranie*ers  *:c  procedures 
is  qiv“n,  W®  then  prcve  that  the  standard  semantics  and  cur 
earlier  mathematical  definition  of  PASCAL  are  equi ve 1 ' n* ,  also 
establishinq 


1,  the  validity  of  "call-by-reference”  as  an  optimization 
which  may  be  used  by  an  actual  implementation,  and 

2,  *he  validi-^y  of  the  axiomatic  definiticn  with  respect  to 
•“he  model  provided  by  the  standard  s^man^-ics. 


Using  this  new  defini'^ion,  we  then  show  how  -“h-'  various 
r^s-^.r  icti  ons  nlaced  cn  procedures  in  Chapter  ,  e.g,,  ‘he 
inability  -^o  reference  global  variables  wi-“,hin  the  procedure  bodv 
and  -he  reauiremen-  tha-^  <^ntirc  arrays,  ra-her  ‘ban  array 
elem-r.ts,  be  passed  as  variable  arguments,  can  be  removed  in  -^h-^ 
"standard"  seman-ics.  We  also  use  ■*:he  two  definitions  to  show 
how  the  axiomatic  defini-^ions  giv<=n  in  Chapter  u  mus-  be  extended 
-o  handle  these  new  features  properly. 

Th==  remainder  of  this  chanter  is  conc'=rned  wi-^h  -he  '=^x-“nsior: 
of  the  ma-“hematical  model  to  define  type-  and  rang  =  -checkina  for 
•^he  PASCAL  subse-  consisten-  with  the  informal  description  of  •“he 
semantics  of  PASCA.L  given  in  th^^  Pevised  F<=por^^.  '"he 
distinctions  in  PASCAL  between  •“  h-^  notions  of  "-ype"  and  "rana~" 
are  explicated  in  terms  of  -he  ^x-ended  model  pres^f-n-ed. 
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6.2  "Standard"  semantics  of  the  PM CAL  subse* 

6,2.1  t  ion 

"standard"  model  commonly  used  in  giving  the  mathematical 
semantics  of  a  programming  language  is  based  on  viewing  the 
ra<=aning  of  a  statemen*^  as  a  transformation  of  abstract  "machine 
stor<=s,"  rela-^ive  to  an  environment  and  continuation. 
(Naturally,,  ■*'his  basic  model  is  usually  substantially  embellished 
*0  deal  with  *he  intricacies  of  most  modern  languages.)  The  major 
d  if r -^nce  be-^ween  the  standard  model  and  the  one  given  in 
Chap+er  4  -^o  define  th^  Pl-SCAL  subset  is  the  introduction  of  a 
domain  of  "locations"  cr  "ref erenc‘=  s"  in  th-  standard  model.  The 


-  nvi  r 

onm<=  n 

is 

then 

used 

•*:o 

ai  ve 

meaning  tc  all  of 

the 

i  dent 

i""ie  r 

C 

app^arina 

i  Ti 

h  e 

progr 

am,  including  the  pr 

0  gra  m 

V  a  r  i  a 

bles 

(wh 

ich 

now 

B  r  9 

seen 

a  s 

deno-^ing  locations). 

The 

abstr 

ac* 

II  c;  ^ 

ere" 

then 

is 

a  mapping 

from  locations,  ra-^her 

than 

'  ^ 

if  ier 

s. 

to  values 

(aga 

in,  wi 

th  componen~s  tO  represent 

t  he 

■-at  and  cutout  files). 

As  we  have  seen  from  Chapter  4,  locations  are  no*  necessary 
*o  define  the  semantics  of  "^he  PASCAL  subset,  Howevt^r,  even  for 
languages  which  do  not  provide  explicit  "pointer"  or  reference 
values,  Icca-^ions  s‘=^em  necessary  in  *he  underlying  semantic  model 
ta  allow  d'=finiticn  the  following  sorts  of  constructs,  all  of 
which  appear  in  full  PASCAL: 

1.  reference  parame tc-^s  , 

2.  global  variable  references  in  procedures,  of  *he  kind 
found  in  Algcl  6C  or  PI/T,  and 

3.  data  structures  in  which  the  components  may  be 
individually  updated,  (i.e.,  assigned  to  or  pa ssed  as 
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variable  parameters  to  procedures),  €,g.,  arrays  or 
records  ir  PASCAL  or  Algol W, 

Below,  we  give  another  semantics  for  the  PASCAL  subset  using  an 
"^bstrac*  store”  in  "^he  semantic  model.  As  w*=  will  see  in  •^.he 
follcwincj  sections,  this  new  definition  can  be  far  more  easily 
expended  *o  include  such  constructs  rhan  the  definition  given  in 
Chanter  A. 

Th^  presentation  of  the  standard  semantics  of  "the  PASCAL 
subse-t  to  follow  will  hav®  the  same  structure  as  the  mathematical 
definition  given,  in  Chapter  ^ .  We  will  give: 

1.  -^he  syntactic  domains  (these  will  be  the  same  as  -t.hose 
Qiven  ir.  4.U.2.1,  bu-*-  are  repeated  to  save  page- 
flinpir.g)  , 

2,  -the  semantic  domains, 

3  ,  -t  h®  f  unct  iona  1  i-t  V  of  the  mea ning  f  unction  s , 

4.  a  short  discussion  of  the  structure  of  the  semantic 
domains,  and 

5.  the  clauses  of  -the  d ef  i ni* ion. . 


Syn* 

ctic  domains 

Id 

i  -  i  ®  -i  o  -r  c 

^  r: 

{ 

•true,  falseh 

truth  value  na m®s 

N  = 

f 

•  Of  ^f  •••"} 

numerals 

Var 

Id  +  fid  X  Fxpl 

variables 

P  xp 

T 

+ 

N 

+ 

Var 

+ 

eof 

the  er.d-cf-file  indicator 

+ 

fid  X  Varg*] 

■^unc“icn  desianatcrs 

+ 

r  Uop  X  Bxp  1 

unary  operators 

+ 

TEop  X  Pxp  X  FxdI 

binary  operators 

V  ara 

=  Id  +  Fxp 

value  argumen.'ts 

Hop 

{•’•f  ■  f""} 

Bop 

{+/-r*ri!iv,m0d  ,F.,  ( 
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Stm* 


=  null 

+  r  52l2  ^  1  ^ 

+  f  Var  X  'Fxpl 
+  [ rf a 1  X  Var1 
+  [write  X  Fxp] 

+  [Id  X  Id=*=  X  Varg’<‘] 

+  [  ""^xp  X  Stni+  X  Stir-^] 

+  r  Fxp  X  m*  ] 

+  [:"d  X  Fxp  X  Fxp  X  Stm-: 

+  [Stmt  X  Stmt ] 

+  r  begin  x  Stmt  x  frd  ] 


empty  statement 
goto 

assignment 

read 

write 

procedure  designators 
conditional  sta-*-emerts 
while  statements 

] 

■^or  statements 
statement  sequences 
compound  statements 


Vblock  =  [Id^^'  x  Id’S'  x  Lblock] 

Vblock  is  a  variable  block,  composed  of 
the  declaration  of  identifiers  as 
variables  or  arrays,  followed  by  a  label 
declaration  block. 


Lblock  =  [[Id  X  S* mt  ]  x  lblock] 
+  Pblock 


Lblock  is  a  label  block,  composed  of  a 
procedure  block  or  a  label  declaration 
followed  by  a  label  declaration  block. 


Pblock  =  [rid  X  "^d*  X  Id*  x  ^^block  ]  x  Pblock] 
+  [[Id  X  Id’*'  X  Vblock]  x  ^^blcck] 

+  [begin  x  Stmt  x  end] 

Pblock  is  the  syntactic  category  of 
procedure  blocks.  Ps  defined  earlier,  a 
procedure  block  consists  of  zero  or  more 
procedure  or  function  declarations, 
followed  by  statement,  represen- ing  th'=' 
body  of  the  block. 

^roo  =  Id  X  Vblock  programs 


6. 2.  3 


Semantic  domains 


I  n  t 
Bool 

Udef  =  (u) 

Val  =  In-^  +  Pool  +  Ddef 
■^unc  =  Arg*  ->  Val 


integers 
Eooleans 
undefined 
values 
function  s 


Functions  take  a  sequence  of  value 
arguments  and  produce  a  single  value  (no 

at' 


side-effects  are  allowed) , 
Arq  =  Val  +  [  Int  ->  Val] 


a  rgu  men 
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Prcc ' 


=  ICC*  ->  [Arq*  ->  [C  ->  [S'  ->  Val=i‘]]] 

procedur ‘=s 


Proceclures  •‘■ak^  referance  and  value 
arguments  and  produce  an  output  file 
relative  to  a  continuation  and  machine 
s  t  ore . 


Lab'  =  C 

C*  =  S'  ->  Val* 

S'  =  [Loc  ->  [Bool  X  [Val  +  [ Int 

X  Val*  X  Val* 


labels 

continuation  s 
->  f  Loc  +  Udef  ]  ]  ]  ]  1 

machine  stores 


Machine  stores  map  locations  to  values 
or  array  descriptors  (the  Bool  component 
is  used  to  record  wh'^t he r  a  location  is 
currently  "allocated"  or  "unallocated")  , 
and  also  record  the  values  of  ^he 
current  input  and  outpu-^  fil  =  s. 


Bnv'  =  Id  ->  [[■'^unc  x  Loci  +  Func  +  Proc'  +  Lab'  Loc  + 

+  Val  +  [  In-^  ~>  Val]]  environments 


Invironmen"^ s  map  each  identifier  in  the 
program  to  its  current  denotation. 


6. 2.  a 


Me':  Fxp  ->  [Fnv'  ->  [S'  ->  Val]] 

Ma':  Varg  ->  [Fnv'  ->  [S'  ->  Arg]] 

Ms':  r Pblock  +  Vblock  +  Lblock  ]  -> 

FnV  ->  [C  ->  [S'  ->  Val*]] 

Mp':  Prog  ->  [Val*  ->  Val*] 


^.2.5  discussion 

Basically,  *h€  new  semantic  domains  differ  from  those  used  in 
Chapter  a  in  -h^^  ■^r'^atmen*  of  environments,  stor<=^s,  and 
procedures.  The  environment  used  in  th'^  previous  definition  has 
be^n  ex-^'^nded  in  th^  following  ways  to  give  Fnv': 

The  most  obvious  chanae  is  ■‘■he  addition  of  locations  to 
•‘•he  codomain  of  th<=  environment  mapping.  In  the  new 
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domains,  each  identifier,  including  the  program 

variables,  dero-^es  a  value  in  the  environment. 

2,  Values  of  type  Val  and  Int->Val  are  added  to  the 
codcmain  of  Env'  to  aive  the  seman'^ics  of  value 
araumer-s  to  procedures  and  functions.  Since  our  Pt.SCAL 
subset  does  not  allow  procedure  or  function  bodies  to 
assign  to  value  parameters,  it  is  not  necessary  to  place 
the  values  of  the  corresponding  value  arguments  in  the 
store.  This  nc+  only  simplifies  the  semantics  of 
trocedures  and  functions,  but  also  gives  a  uniform 
treatment  of  parameter  passing.  All  parameters  passed 
to  a  prccedur<='  or  function  cause  a  change  of  environment 
cnlv. 


3,  Finally,  it  is  necessary  to  change  the  denotation  of 
^unctions  to  include  both  a  function  value  and  a 
location,  sc  t^at  t^e  "pun”  in  our  t)tiSCAL  subse-^  can  be 
handled  properly. 


The  program  stat<=  s  of  the  previous  definition  is  now  the 
abstract  '’machine  store"  S',  In  addition  to  the  usual  components 
for  the  inpu*  and.  output  files,  the  values  of  the  program 
ariabl‘='s  are  now  associated  with  locations,  rather  than 
identififf-s  (along  with  t]^c  Pcolean  t^g  giving  the  allocation 
status  of  the  location) .  Also,  we  include  values  of  type 
'nt->Loc  in  the  store  to  serve  as  array  descriptors.  This 
In*->Icc  compon^^nt  is  plac<=d  in  the  store  rather  than  t^c 
environment  sc  that  the  same  dynamic  growth  of  arrays  allowed  in 
the  earli<='r  PASCAL  subset  definition  can  still  be  simply  defined. 
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The  most 


impor-^ant  point  to  note  is  that  we  can  easily  show 
“hat  new  Inv'  and  are  more  ’’powerful"  than  the  old  'Env  and 

S,  in  the  sense  that: 

1.  =ach  member  of  ^rrv  x  S]  can  be  given  an  "exact"  image 
as  a  member  of  f  x  S'd,  i.e.,  we  can  transform  (‘^rS) 

to  ('=>', s’)  and  back  to  (e ,  s)  without  loss  of 

information,  and 

?,  meTnb  =  rs  of  TEnv'  x  ?’]  have  only  "approximate"  images  in 
rfnv  X  S],  i.=.,  without  some  encoding  scheme  we  cannot 
ac  from  (e’,s')  (e,s)  and  back  to  (^’,s')  exactly. 

We  can  formally  state  this  as  follows. 

tffinition  6^_1:  An  environment  e  and  state  s  are  said  to  b<= 

sll  ieid, 

1.  sfi>  is  yal=-^rue  implies  tha*  either  e<i>  ^s  func  = 
*rue,  or  €fi>=b  or  e<i>=i,  i.e,  if  i  is  an  active  simple 
variable,  then  i  also  either  deno“-s  a  function  or  has 
no  denotation  in  the  environment,  and 

2.  sfi>  is  Int -> Val =*rne  implies  that  efi>=b  or  efi>=t. 

'^h  =  s=  pun-free  environmer.-s  and  states  are  the  only  cn-s  created 
in  the  definitions  of  Chapter  4.  Now,  we  can  state  tha-  each 
pun-'^rse  e  and  s  has  an  exact  imaoe  in  [Fnv*  x  S']  as  follows. 

Proposition:  Let  (e,s)  be  any  pun- free  environmen-  and  sta-^e. 

Then  -^here  exist  functions 

f:rFnv  X  S1->rFnv’  x  S']  and  g:[Fnv'  x  S’]“>f?r.v  x  S] 

such  tha* : 

a(f  ((e,s)))  =  (e,s)  , 

i.e.,  (e,s)  has  an  exact  image  as  (e',s').  The  functions  f 

and  a  are  called  a  £rc_jectipn  pair. 

That  this  is  true  can  be  seen  informally  as  follows.  We  can 
•easily  define  a  one-to-one  mapping  between  identifiers  and 
locations,  which  we  can  use  tc  map  the  state  into  a  store  and  ^ho 
e  nvir  cnm'=‘-r;t  and  state  into  e  new  environment.  And,  since  we 
assume  that  (e,s)  is  pur-free,  ^h^-c  no  possibility  of  an 
identifier  referring  both  a  procedure  or  label  and  a  variable. 
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Then,  using  the  inverse  of  this  one-to-one  mapping,  we  can 
r^adilv  obtain  the  original  (€,s)  from  the  (e’,s')  produced. 
Aaain  ,  since  (^,s)  is  pun-free,  there  is  no  chance  that  the 
denotation  of  an  identifier  will  have  been  lost  in  the  process. 

The  importance  of  the  preceding  comments  is  that  our  standard 
semantic  model  is  definitely  richer  (in  terms  of  th^  number  of 
possible  computations  that  can  be  described)  than  the  model  used 
in  Chapter  u ,  Using  Fnv  and  S  allows  only  a  simple  relationship 
between  program  variables  and  their  values,  i.e.,  with  each 

variable  there  is  an  associated  value.  Splitting  this 
association  into  ti^j-c^.ions  from  variables  locations  and  from 
locations  +0  values  allows  more  complex  "sharing"  situations  to 
be  described,  where  several  identifiers  each  refer  to  *:he  same 
1 ocat ion .  In  our  simple  model ,  cha nging  one  value  in  the  state 
could  only  affect  one  variable;  in  the  new  model,  a  similar 
chance  of  one  value  could  affect  an  arbitrary  number  of 
ariables,  i.e.,  all  those  that  denote  the  changed  location. 
_nis  increase  in  "power"  was  the  reason  why  standard  semantics 
wsr'=  not  used  in  Chapter  U;  the  simple  model  was  sufficient,  and 
t'^e  increas^^d  facility  of  the  standard  model  would  only  serve  to 
ncrease  the  compl‘=xity  of  the  proof  o-f"  consis-ency  given  in 
Chapter  5,  We  will  prove  the  consistency  of  our  standard 
seman*ics  and  the  axioma'^ic  semantics  of  the  subset,  bu*  as  an 
immediate  consegu<=nce  of  *he  main  theorem  of  this  Chcp-^er. 

Finally,  the  meaning  of  procedures  has  been  changed  in  cur 
n‘=w  set  of  domains  to  take  values  of  type  Loc  as  variable 
arguments.  This  is  to  provide  a  call- by -reference,  rather  than  a 
call-by- value/result ,  -^rea-^ment  of  variable  parameters. 
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6.2.  6 


Clauses  of  the  definition 


In  -he  definitions  below,  we  will  use  s_tag  (1)  and  s_val(l) 
“c  denote  -he  Boolean  and  value  components  respectively  of 
location  1  in  the  store  s. 


6,2.6.'!  Zx£I§ssicns 


:ie'fn>  (e;s)  =  Inti:n> 


^“•ft>(e;s)  =  Bcolft^ 

?!e»i:id>(e  ;3)  = 

a  =  efid^  in 
if  a  is  Val  iihen  a 
if  a  is  loc 
^ian  if  s_'^ag  (a)  i.h^n 
if  s_val  (a)  is  Bdef  then  t  else  s_val  (a) 
e  1  se 

If  a  is  Iunc_x_I;Oc  then 
if  s_tag(a{1})  i.hen 

if  s_val(a{1})  is  Bdef  then  i  else  s_val(a{1}) 
else  t 
else  t 


If  the  identifier  denotes  a  value 
active  variable,  return  i-^s  associated 
otherwise  -he  resul-^  is  undefined. 


or  an 
valu  e ; 


'fidfexp  {e;s)  = 

let  V  =  '  i!exp>  (e ;  £)  to  Trt 

in  V)  :  begin 

if  ef id->  is  Ii;-t->Val  then  e<fid>  (v) 

^ftd>  is  loc  then 
if  s_taq  (<^f  id»  ;lhen 

if  s_val(9fid>)  ^s  Illt->Loc  then 
li=l  =  s_val  (efid^)  (v) 
in  lf;3lli 

if  s_tagfar)  then 

if  s_val  (ar)  is  Ddef  Ihen  t  else  3_val(ar) 

<5l  o  e  + 

end 

^1  s  a  t 
else  t 
else 
end 

■'^or  array  elements,  ve  must  check  -^hat  the 
id^^ntifier  refers  +c  an  array  d^scrip-^cr  and 
the  array  elemen*  reffrenced  is  an  active 
location  with  a  value  other  than  undefined. 


'  f  i  d  ( var g*)  >  (e  ;  s)  = 
let  a  =  ^a ' f varg*> (6 ; s) 

ll^  (Uluf  *  li^lH 

j,f  '=i:id>  is  s<id>(a) 

f:l§i.  11  is  Iunc_x_Icc  then  (ei:id>{l})  (a)  else 

end 


Mf'<ucp  exp>(e;s)  =  nnco^uopl^  (fe  '  ^e  xp>  (e ;  s)  ) 


^^’<-xd1  hop  exp2>(e;s)  = 

Einop<bop>  (^e  '  fexn '!>  (c  ;s)  ,  fle 'fexp2>  (e;  s)  ) 

Me  '  f  aof>  ('=^ :  s)  =  si  is  Val^ 
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6.2.  6.2  Value  arguments 


M a ’  d>  (^  ;  s)  = 
a  =  efid>  in 
if  a  is  Val  i.hen  a 

if  ^  i§  infz^vsi  tifn  a 
else  if  a  is  loc  t he n 
if  s_-^_ag  (a)  then 
if  s_val'(a)  is  Val  then 

if  s_val(a)  is  Udef  then  ^  §lse  s_val  (a) 
“Ise 

fimc  (Inf  i)  :  te^in 
if  s_tag  (s_val (a)  (i)  ) 

then  s_val (s_val (a ) (i) )  else  t 

end 
e  1  se  t 
else  t 


Th<=  only  change  in  Ma  ’  from  fa  is  in  *he 
■^rea-^men+  of  arrays.  If  the  identifier  is  an 
array  descriptor,  a  function  of  type  In*->Val 
is  produced  giving  the  value  associated  with 
each  array  element.  Thus  rhe  store  need  nor 
be  passed  -^.o  functions  having  array 
arguments.  Fete  tha-^  this  would  be  necessary 
if  only  th^  array  descriptor  were  passed  as 
thi=  valu‘d  of  array  arguments. 


f  a  *  i:exp>  (e  ;  s)  =  f  e exp>  (e ;  s) 


,2.6.3  If  2.f§i!!^Ilf  § 

'^he  definitions  aiven  belcw  will  make  use  of  *hc  fo 
auxiliary  functions: 

3.  N'=w:  S '->r  Loc  X  S'],  New  produces  a  loca-^ion 

store  s'  from  an  ini'^ial  store  s  such  that 

a.  sv(l)  =  (fals<=,v)  for  som-  v  in  Val,  i.e. 
unallocated  in  s,  and 

b.  s'v(l)  =  (true,  u)  ,  i.e,,  1  is  allocated 
the  und«=fined  value  in  s'. 

c.  fer  all  locations  I'^^l,  s  v  (1 ' )  =s  '  v  (1 ' )  ,  i. 
o'^her  locations  are  unchanged, 


1 1  o  w  i  n.  a 


1  and  a 


,  1  was 


and  has 


e ,  ,  all 
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(3,  s'i  =  si  and  s*o  =  so,  i.e,,  the  input  and  output 
files  are  uncharged. 

2,  Neva : S ' ->r Loc  x  S’],  Neva  produces  a  location  and  store 
similar  no  ^han  produced  by  New,  except  *hat  the  valu^^ 
assiar^^d  to  the  location  is  the  "empty"  array  descriptor 
( (Tnt  i)  :u)  . 

3,  .Alloc :  Id->r  [  Fnv '  x  S']->[Fr:V’  x  S']].  Alloc  is  used  ~o 
allocate  an  "unused"  location  in  -^he  store  and  tc  update 
•^he  environment  by  binding  the  identifier  to  the  new 
Icca-^.ion.  To  give  -^he  definition  of  .Alloc,  we  first 
reguire  anc-^h«^r  rotational  convention.  We  will  ex*end 
the  syntax  of  let  expressions  to  allow  simultaneous 
definitions  using  values  of  Cartesian  product  domains. 
The  ♦^xpr^'ssion 

i^t  x'’ ,  .  .  .  ,  xn  =  a 
in  body 

is  g£ 

( (x1 ,.  .  .  ,xn)  :body)  (a  f  1}  ,. . .  , a  {n} )  . 

Now  Alice  can  be  defined  as  follows: 

Alloc  (id  :  (e  ,s)  )  = 

le^  1 , s'  =  New  (s) 
in 

(eri/id],  s') 

4,  All  cca:  Id->r  Fnv '  x'^']->rfnv'  x  S']  is  used  *.o  alloca-"e 

arrav  designators. 

Allcca  { id  :  ,  s)  )  = 

let  1 , s '  =  Newa  (s) 
in 

e[l,/id],  s') 

"’he  ex+ensions  of  .-Hoc  and  .Alloca  ~c  allow  s-guences  of 
i den-f- if  iers  ar=  obvious  and  will  also  be  used  in  th<= 
def  ini"^  ions  b^low. 
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:=  '=xp>(e;c;s)  = 

l“t  V  =  ‘?xp>  (“ ;  s) 

in  •  ^“sin 

if  efi'5>  is  Loc  then 
ii  s_tag(ei:id»  fhfn 

if  s_va  1  (ef i(3>)  is  Vaf  then  c(s[ef^id>  <-  v  ])  else  f 
else  f 

else  if  efi(3>  is  Zunc_x_T.oc  then  c  ( s[  efid^  {2)  <-  v  ])  els^ 
end 

If  *he  identifier  denotes  a  currently  active 
location  with  a  simple'  value,  perforir  the 
assignment. 


Ms’fid[oxp1]  :=  exp2>(e;c;s)  = 
let  v1  =  Me ’ fexp1> (e ; s)  to  Int; 
v2  =  Me  '  f<=xp2>  (e  ;  s) 

in  (zninn  v2) :  if^in 

if  efid>  is  loc  then 
ii  ^_tag  (ei:id»  fhen 

if  s_val(efid>)  is  Illl“Zi2n  then 
let  ar  =  s_val  (ef id>)  (v1) 

in  innin 

if  ar  is  Udef  fhen 
let  1 ,  s  *  =  N<=w  (s) 

in  c(sri<-v2;  s_val(efid>)  (v1)  <-  1]) 

else  c(sfar  <-  v2]) 
end 
else 
e  1  se  t 
else  t 
end 


If  both  expressions  are  proper,  attempt  to 
assign  the  value  of  the  second  expression  -*-0 
the  arrav  elemen-^  denoted  on  the  lef-^-hend 
side.  Note  *hat  it  may  be  necessary  to 
allocate  a  new  location  for  the  array  elemen*: 
if  no  previous  assignment  has  been  mad=^ 


Zn'i^nnil^  *c;  s)  =  c(s) 
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Ms'frfjd  id>(G;c:s)  = 

if  si  is  1^1°  lllfH  1 
flsG  if  si  is  Val* 
if  e^id>  is  Loc  then 


if  s_taa{0fid»  then  c(s') 
where  s'  =  (svf  ei!id>  <- 
5lS“ 


Ise 


M  (si)  ]/ 


11  (si)  , 


so) 


Ks'i^read  i df  exp  ]>  (e; c;  s)  = 
if  si  is  Val®  then 
sise  if  si  is  Val*  ilien 

1ft  V  =  We ' f exp> (e ; s)  to  Tnt 

ll  V)  :  tegin 

if  efid>  is  loc  then 
if  s_t ag  (ei:id>)  then 

11  e_val(e<id>)  is  Tnt2>lcc  then 
lef  ar  =  s_val  (e-fid^)  (v) 

In  begin 

if  ar  is  Udef  ihen 
1ft  1,  s'  =  New(s) 

in  c  ( (s  '  v[  l<-h  d  (si);s'v(efid>)(v)<-l]),  tl(si),  so)) 
elsf  c((svrar  <-  hd(si)]f  tl(si),  so)) 
end 

elsf  t 
else 
else  f 
f  r,  d 

f  1  Sf  f 

Again,  as  in  the  assignment  statement,  i*-  may 
be  necessary  *c  allocate  a  new  location  for 
th=  array  elemen-^  if  no  previous  assigment 
has  been  made. 


exp>(e;c;s)  = 
let  V  =  Wfiexp>(e;s) 

in  (Zninn  V)  :  if  so  is  Val*  then  c  (  (sv, si , append  (sc , v) ) 

else  f 


Wf'fgptc  id>(e;c;s)  = 

if  efid>  is  Isb'  then  <=  fid>(s)  else  t 

If  the  identifier  refers  to  a  label,  execute 
the  sta'^ement  referred  to  by  the  label. 
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Ms’fid (id*:varg*) > (e;c;s)  = 
if  =''fid>  is  Proc  thsr 

if  NotTn(varg*,  id*)  fhei} 
if  Distinct  (id*)  :^ihen 

let  a  =  Ma^varg*> (^ ; s) 
i“  (value  a):  sfidXid*  ;  a;  c;  s) 
a  1  s  e  T 
else 
else  t 

If  the  identifier  is  a  procedure  and  *  he 
arqucnen'^  list  is  valid,  evaluate  it  using  •'■he 
supplied  arguments  and  the  curren-^ 
continuation  and  store. 


ihfH  stmtl  else  stmt!  fi^(s;c;3)  =  c'(-) 

=  il  M§^exp>(e;s)  i_o  Pool 
i.hen  M£'fstn!''-1>  (a;c) 
else  Ms  Xst  mt  2>  (e  ;  c) 

selec^ 


cd> (e; c) ) 

to  the 
normal 

con.-^ inuatior)  ;  oth-^rwise  execute  the  body  of 
the  while  followed  by  another  iteration  of 
the  while. 


Evaluate  the  Poolean  expression  and 
the  appropriate  component. 

Ms'fwhile  exp  do  stmt  cd>(e;c;s)  =  rec  c' (s) 

C  =  if  Me<exp>  (<= ; s)  to  Eocl 

then  Ms  '  (e  ;  Ms  Xwhile  exp  do  stmt 

else  c 

If  the  Boolean  expression  is  false,  go 
next  statement  (apply  the 


Ms'f^cr  id  :=  expl  to  exp2  do  stm*  cd>(e;c;s)  = 
le*  vl  =  Mef exp  1 > (^ ; s)  to  Int; 

v2  =  Mef exp2> (= ;s)  to  Int 
in 

(value  v1,v2) :  begin 
if  efid>  is  Loc 
if  s_tag(efid>) 

if  s_val(efid>)  is  Val 

^hen  itera-': e  (sf  ef  id>  <-  v'' ]) 
else  t 
else  t 
else  1 
els e  t 

^ll£De  rec  func  iterate  (S'  sl)  :  begin 

if  s1_val  (ef  id>)  >  v2  then  c  ( s1[  <-  u  ]) 

else  Ms  ' -fstmt^  (e  ;c”  ;  si) 

~  l]iIi£(-2):  iterate  (s2f  efid^<-s2_val  (e<id>) +1  ]) 

end 


stir t2>  (e;c ; s)  = 

*5s  ’  <stmt  1>  (€  ;  Ws' <st  n’t  2>  (e  ;  c)  ;s) 
^s’fbs^ir.  strn“  ?ild>  =  ^s’fstirt:^ 


M'^2  rocadure  id(i61*  :  id2*)vblock;  pblock>  (e ;  c;  s)  = 
if  Nctir.  (id1’'',id2*) 

if  Disti  nc-i- (id  1  *)  then 
if  Distinct  (id2*)  then 

AssignsTc  (vblcck  ,id2*)  then  t 
elsf  Ms ' ^Dblock>  (e[ id  <-  p];c;s) 
else  t 
else  ^ 
else  * 

P  x;  Arg*  y;  C'  cp;  S'  sp)  : 

begin  Ms' fvbl  ock>  ( e  '  [  id  1  *  <-  x;  id2*  <-  y;id  <-  p‘|;cp;sp) 
where 

^Id  -)  t  if  ig  lab 

ill£L  i  =J  ts 

ghen  ei:i>{1}  else  if  e'fi>  is  Lee 
t  else  «=fi> 

=“nd 


Procedures 
the  values 
strie-'-ed 


are  -evaluated  simply  by  plugging 
cf  the  parameters  into  the 
envircnmen+  and  ex^cuning  the 


urocedure  body. 


Ms'<functign  id(id*);  vbloek;  pbl ock> (e; c ; s)  = 
if  Distinct  (id*)  then 

if  AssignsTc  (vblock  , id*)  then  t 
elsg  Msf pblock> (er i d  <-  f1;c;s) 
else  - 

where  rec  func  f (Arg*  x)  : 
begin 


s  =  ( (122  -)  •  (f else,b) ,  t,  t) 
Iff  d/-'  =  New(s) 


n 


Ms '  f vblcck>  (e ' ; c ' ; s  ' ) 

fllfZf  =  ffl.c(s''):  s  1_val  (e '  i;id>  {2}  )  ; 
s'  =  e'Tid  <-  (f,l)  ] 

^ilfff  “  fflif  *  IJ 

fife  if  e^i>  is  Func 

fl§f  if  €’^i>  is  Ig 
else  ^ii> 


,s  lab  then 
.x_i22  then 
:  then  t 


end 


'^unc-^ion  declarations  are  similar  to 
procedure  declarations  axcep-^.  that  *he 
"emp'^y"  machine  store  is  used  to  evaluate  the 
function  body.  Aaain,  ■‘■he  continuation  is 
used  to  return  the  result  of  the  function. 
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D  Ir* 


Ms'fvar  id1*;  array  id2*;  lblock>  (e ;c ; s)  = 
le+  e',  =  Alloc  (id1*)  (e,s) 

in  f  “  Alloca(id2*) 

-  -n 

Ms’flblockXe"  ;c;s’') 

Allocate  storage  for  the  simple  variables  and 
array  designators  and  execute  the  body  of  rhe 
label  block. 


^sXlab^l  id:  stmt:  lblock>  (e ;  c;  s)  = 
1ft 

c’  =  Ms '  f  stmt  >  (e ;  c) 
i  r. 

Ms ' f Iblocky (e[ c*  <-  id]:c:s) 


f  ,  2 ,  6 .  u  Ptog’r  ams 


Mf  xn  rogram  id;  vblock .  >  ( v’^')  = 

M  s  '  iCpr  oced  ur  e  id;  pblcck;  begin  id  end^ 

(e-init;  (s):sc;  ( (1)  :  (false  ,b)  ,  v*,  nil)) 


6.2.7  Faui valence  of  the  defini-^ions 


In  this  section,  we  will  prove  the  "semantic  egui valence "  of 
-■^e  standard  semantics  oiv^n  above  and  the  mathematical  semantics 
of  the  PASCAL  subset  given  in  Chapter  4,  where  by  "semantic 
eguivalence"  we  mean  that  for  any  input  file  both  interpretations 
of  PASCAL  subset  programs  prcduce  identical  output  files.  To 
prove  -^he  main  theorem  of  this  section,  we  will  prove  three 
lemmas,  which  will  also  be  used  to  show: 

1.  the  equivalence  of  the  call-by-reference  and  call-by¬ 
value/result  interpretations  of  variable  parameter 
passing  to  procedures  given  above,  and 

2,  the  validity  of  the  previously  piver.  axiomatic 

definition  of  the  PASCAL  subset  with  respec-^  to  the 
standard  semantics  of  6.2.6. 
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To  prove  +he  main  theorem,  we  will  use  the  following 
•technique.  We  will  first  define  a  relation  R  between  elements  of 
the  domains  frnv  x  S]  and  r?rv'  x  S']  such  that  (e,s)  and  (e',s') 


are  related  iff: 

1.  *he  input  and  output  files  are  the  same, 

2.  all  functions  have  -t-he  same  values  in  e  and  e', 

3.  all  of  the  program  variables  hav<=  the  same  v^Iue  (both 
simple  variables  and  arrays),  and  -he  structure  of  e* 
and  s'  is  simple  Enough  tc  be  represented  by  s,  and 


U,  all  procedure  and  label  values  map  related  inputs  into 
identical  outputs. 

Then  will  show  that: 

,  ^s  and  Ms'  preserve  ?  for  every  procedure,  variable,  and 
label  block,  and 


2.  Mp  and  Mp '  produce  an  initial  state  satisfying  P. 

From  this  we  can  immediately  deduce  that  the  final  output  must  be 
the  same  using  both  Mp  and  Mp '  ,  thus  es-^.  ablishing  -t-he  -theorem* 
T^.nd,  we  can  use  the  preservation  cf  P  by  Ms  and  Ms'  to  establish 
the  validity  cf  the  axiomatic  definition  wi-^h  respect  to  "^he 
standard  semantics  of  the  PASCAL  subset. 

FameFiles  be  a  relation  in 

S  — ^  S' 

such  tha-^  Same  sFiles  (s ,  3  ' )  iff 

1.  si=s'i,  and 

2,  so  =  s  '  o . 


Pefinition  6j_ 3  :  Let  SameFunc  be  a  relation  in 

Env  — k  Fnv' 

such  that  SameFunc (e , e ' )  iff  Vi  €  Id,  efi^  is  Func  =  true 
implies  +hat  either  e'fi>  is  Func  =  true  or 
efi>  is  Func_x_Loc  =  true,  and  either  efi>  =  e'fi>  or 
efi>  =  e-fi>{1},  i.e.,  all  functions  in  e  and  e*  have  the 
same  value. 
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Definition  6^.4:  Assume  e’SEnv'  and  s*eS'.  Then  (€*,s*)  is  said 

to  be  non-sharing  iff  ¥ideid, 
if  e*<id>  is  loc  =  true,  then 

1.  ¥id»eTd,“  e'fid'>  e'i:id>,  . 

2.  Vid'eid,  e*fid'>  ^s  Tunc  x  Loc  =  true  implies 

e«i:id'>f2}  *  e'fid^, 

3.  ¥id'€Id,  €’i:id'>  is  Loc  =  true  and  s '_val  (e  '  f  id' >)  is 

Tnt2>Val  =  true  implies  that  for  all  neint 
s'_val(e'<fid»»  (n)  ^e'i:id>, 

4.  and  if  s *_val  (e ' f 1 d>)  is  Int->Vai  =  true,  then  ¥neint, 

a.  ¥id'eid,  e'<fid'>  *  s '  _val  (e  '  i:id>)  (n)  , 

b.  ¥id'eid,  e'<id'>  is  Eunc_x_Ioc  =  true  implies 

s'__val  (e*  f  id>)  (n)  ^  e'fid*>, 

c.  ¥id'eTd,  e*<id'>  is  Loc  =  true  and 

s ' _val  (e ' ^id ' >)  is  Int->Val  implies  ¥n*€Int, 
s'_val  (e*<id' >)  (n' )  *  s '_val  (e '  f  id»  (n)  , 
or  if  e'<id>  is  Eunc_x_Lcc  =  true,  then  ¥id'€Id, 
if  e'i;id'>  is  Func  x  Lee  =  true,  then 
(e'i:id»f2}  *  (e'fid'»{2}. 

Essentially,  an  environment  and  store  is  non-sharing  iff  each 
1  cca t ion  can  be  referred  to  by  only  a  single  variable.  Now, 
can  relate  the  variables  of  (€,s)  and  (e',s')  as  follows. 


1-^-  SameVar  be  a  relation  in 
r  Fn  V  X  SI  —X  r  E  n V '  x  S'] 

such  that  SameVa r ( (e , s)  ,  (e ' , s  ' ) )  iff  ¥id  €  Id, 

1.  Mei:id>(9;s)  =  Me  '  fid>(e  '  ;  s  ' )  ,  and 

2.  for  all  expeFxp,  Me'fexp>  (e;  s)  =  Me' •fexp>  (e  *  ;  s  ' )  implies 
Mef id[exp ]> (e ; s)  =  Me ' <id[ exp  ]>  (e ' ; s ' ) . 

3.  ('=rS)  is  pun-free. 

4.  (e',s')  is  non -shari ng. 

In  other  words,  SameVar  (  (e,s)  ,  (e' , s') )  is  true  iff  the  values 
of  each  attempted  use  of  an  identifier  as  either  a  simple 
-riable  or  an  array  produces  the  same  result  (either  an  error  or 
a  valu=)  ,  and  each  location  in  e'  and  all  -^he  active  arrays  in  s' 
are  distinct.  This  final  cendition  will  be  necessary  in  proving 
lemma  6,1  belcw.  One'  fac^  which  should  be  checked  is  that 
SameVar  and  SameFunc  define  a  relaticn  other  than  he  empty 
relation,  i.e,,  we  need  to  show  that  Me  and  Me'  actually  can. 
produce  the  same  value  for  some  inputs.  Proof  that  this  is  true 
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can  be  given  by  a  simple  case  analysis  on  the  structure  of 
expressions. 

Definition  6^^:  Let  R  be  a  relation  in 

r  Fnv  X  SI  -K  r  Fnv'  x  S'  ] 
such  that  B  (  (e,s)  ,  (e' ,s' ) )  iff: 

1.  Same'P’iles  (s ,  s  ' )  ,  and 

2.  Same Var  (  (e ,s)  ,  (e  ' , s  ' ) ) ,  and 

3.  SameBunc  (e , e ' )  ,  and 

ti ,  FelProc  (e  ,e ’ )  where  BelProc  is  defined  as  follows. 

PelProc  (e , e ' )  iff  Vi€Id  and  xSId’^,  aevarg*, 

B  (  (e  ,  s  1)  ,  (e '  ,  s  1 ' )  )  implies 

[r  Vc  ^Isfi  (x’^'ta’!')  >(e;c:s1)  =  c(s2)  iff 

Vc  '  W§' ^  J  J  =  c'(s2')l  and 

B((e,s2)  ,(e',s2'))  ]. 

BslLab(e,e')  where  BelLab(e,e')  iff  ¥leid, 

B  (  (e  , s  1 )  ,  (e *  , s  1  ' ) )  implies 

Msfqotc  i>(e;c;s1)  =  Ms'^^oto  1>  (e * ;c ' ; s  1 ' ) 
for  arbitrary  c  and  c'. 

^ssen-^ially ,  (e,s)  and  (e',s')  are  related  by  B  iff  they  have 

■^he  same  values  for  all  of  +:he  functions,  files,  and  variables, 
and  -^he  proc'^dure  and  label  values  take  related  inputs  and 
produce  related  outpu+s.  Again,  it  is  necessary  to  show  that  B 
is  simply  not  the  empty  relation.  This  can  be  seen  from  the  facr 
-^ha-^  SamePiles,  SameVar,  and  SameBunc  are  not  empty  and  ■'rhe 
definitions  of  procedure  declaration  and  call  and  goto  given 
using  Ws  and  f^s' .  We  now  use  B  to  show  the  egui valence  of  the 
definitions  by  means  of  the  following  lemmas. 

*  Assume  F  (  (e  ,  s)  ,  (e  '  ,  s  ' )  )  .  Then  for  all  stm-^  in  the 
domain  Stmt,  if  for  any  si, si*,  B  (  (e , si ) , fe , s 1 ' ) )  implies 
c (si)  =  c '  (si ') ,  then 

f sf s tmt> (e ; c ; s)  -  Ws ' f st mt> (e ' ;c ' ; s' ) . 

•  ^7  structural  induction  on  the  elements  of  Stmt. 

Basis :  Stmt  is  •‘■he  doma'’n  {b}  .  Then  by  ths  defini-ions  of  Ms 

and  Ms',  we  hav<=  ■‘■hat  both  produce  b,  and  by  lemma  5.  1  there 
can  be  not  such  si  and  si'. 

•  There  are  two  subcases.  First,  the  statement  could 
be  a  simple  s-'^  a  •‘■.em  ent .  The  various  cases  of  simple 
statemen'^'s  are  easily  handled  by  the  clauses  of  the 
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definition  of  E.  Since  F  requires  P.elPrcc  and  PelLab,  it  is 
clear  that  if  the  statement  is  a  procedure  call,  the 

l«=mma  must  be  true.  The  -^ruth  of  rhe  lemma  for  write 
statements  follows  immediately  from  Sam^^Filos  and  Samovar, 
Th‘=  most  i mpor* ant  cases  are  he  cases  of  assign menr  and  read 
s  +  atemen''’S .  Here  the  fact  that  e'  maps  dist inc*  identifiers 
ro  distinct  locations  is  necessary  to  guarantee  that  -^he  only 
variable  affected  by  -t-he  assignmen-^  or  read  is  the  cn<^ 
referenced  in  the  statement;  all  other  variable?  are 
un  changed . 

The  tru-^h  of  the  lemma  for  compound  statements  follows 
immedia-^ely  from  its  truth  for  simple  statements  and  the  fact 
that  expressions  produce  th^  same  values  in  states  related  by 

F. 

0 . F. D ,  le mma  6  .  1 . 

I=mma  6,^2:  Assume  F  (  (e ,  s)  ,  (e  '  ,s ')  )  .  Then  for  all  pblock  in 

the  domain  Pbloch,  if  R  (  (e, si)  ,  (e ' , si ’ ) )  implies 
c  (s1)  =  c '  (si  ')  f  then 

Hs ’ f pblock> (e ; c; s)  =  Ms  * <pblock>  (e ' ; c ’ ; s ' )  . 

*  Ey  struc‘*:ural  induction  on  the  elements  of  the  domain 
Pblock . 

2s si s :  pblock  is  b  in  the  domain  {b} .  Then  bc*h  Ms  and  Ms' 

produce  b  as  -^heir  value,  r'^gardless  of  *:he  particular  e,  c, 
or  s. 

liduc^ion:  There  are  three  subcases,  for  which  we  outline 

proofs  below. 

1,  oblock  is  simply  a  sta*emen-"..  The  l-^mma  is  true  by  lemma 

6. 1. 
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2.  pblock  is  headed  by  a  function  declaration.  From  the 
definition  of  function  values,  we  can  show,  by  fixed 
point  induction,  that  the  function  bodies  are  evaluated 
in  related  environments  and  states  and  that  the 
con-^ inuations  used  to  produce  the  final  value  of  the 
function  satisfy  +he  hypothesis  of  the  lemma.  To  apply 
•^he  induction  hypo-thesis,  we  must  first  shew  that  if  the 
lemma  is  true  for  procedure  blocks,  then  it  is  also  true 
for  variable  blocks.  This  can  be  readily  seen  from  th-- 
meanings  ot  variable  and  label  blocks  using  Ms  and  Ms’, 
Th'=n  we  can  apply  the  induction  hypothesis  to  the  body 
of  -the  procedure  block  with  the  environment  altered  to 
include  the  new  function  value  to  show  the  truth  of  Th<^- 
lomma. 

3,  Pblock  is  heeded  by  a  procedure  decla ra-^ ion .  This  case 
is  similar  to  -the  previous  case,  except  -that  we  need  to 
show  that  ?elP roc  (e 1 , e 1 ’ ) ,  where  el  and  el*  are  the 
environments  produced  by  evaluating  the  proc-^dure 
declara-^ior  at  the  h<^ad  of  th^  block.  The  only  real 
trick  is  guaranteeing  that  SameVar  is  true  of  the 
(Environments  and  sta-^-es  used  to  evaluate  the  procedure 
body,  particularly  •‘■hat  the  environment  used  still  maps 
distinct  identifiers  tc  distinct  locations.  Put  this 
must  be  true,  because  we  require  all  variable  arguments 

be  distinc-‘’  iden-^  if  iers .  Then  the  lemma  follows  from 
^wo  applications  of  the  induction  hypothesis,  similar  to 
-^he  case  above. 


Q.F.P,  lemma  6,2. 
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The  third  case  in  the  proof  of  lemma  6.2  and  the  definition 
of  PelPrcc  as  part  of  P  establishes  the  essential  equivalence  of 
the  call-by-value/result  and  the  call- by-ref er -nee 

interpretations  of  parameter  passing  tc  procedures.  This 
justifies  the  use  of  ca  11-by- refe  rence  as  an  op  tim  iza-^  ion  by  an 
actual  implementation  of  the  P.ASC.tL  subset,  Pefore  giving  the 
main  theorem  showing  Hp  and  Wp'  to  be  equivalent,  we  will  -^irst 
show  *-he  axiomatic  definition  valid  with  respect  to  cur  standard 
semantics,  using  the  pr^^vious  lemma.  First,  we  need  -^he 
following  obvious  lemma. 

lemma  6_j_  3  :  Assume  E  (e  ,  s)  ,  (e '  ,  s ' ) )  for  some  a,e'  and  s,s*. 

New,  le+  I'  be  an  interpreta-*-ion  of  assertions  using  Ne' 
(appropriately  ex-i-ended  to  handle  the  ex-^ended  expressions  of 
Chapter  5)  to  evaluate  the  basic  assertions.  Then  for  every- 
asserticn  ast, 

Ii:ast>(e;s)  =  I  •  <ast>(=  '  ;  s  ' ) 

*  This  lemma  follows  immediately  from  the  definition  of  P 
fin  particular,  the  definitions  of  SameVar,  SameFunc,  and 
Same'p’iles)  and  the  interpretation  function  meanings. 


From  our  previous  discussion  it  is  clear  that  +hG  axiomatic 
definition  of  Chapter  U  is  not  valid  with  respect  to  every  member 
of  Er V '  and  S*,  i.®.,  there  are  environments  and  stores  for  which 
the  result  defined  by  Ns’  and  the  result  defined  by  the  rules  of 
inference  would  differ.  Thus  we  need  a  notion  of  validity  with 
r-spect  to  environments  and  stores  to  state  the  theorem  relatino 
the  two  definitions. 

Fefinition:  The  axiomatic  definition  of  a  procedure  block,  or 

variable  block,  or  label  block  A  is  valid  with  respect  to  e'C 
Env'  and  s'eS’  iff 

fP}  {Q} 

implies 

T ' (e ' ; s * )  =  true  => 

[Vs”  ¥c  Ms'fA>  (e*  ;c;s’)  =  c(s")  => 

l*i:0>(e»;s")  =  true]. 
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If  for  (e',s’)  there  exists  some  (e,s)  such  that 
P((e,s),  (e',s»))/ 

th-n  for  all  procedure,  variable,  or  label  blocks  A,  the 
axiomatic  def iri-^ ior  is  valid  with  respect  to  e'  and  s'. 

•  From  lemmas  6.  1-6. 3.  From  lemma  6.3,  we  have 

IfP>(s;s)  =  true  iff  I*fP>(e';s')  =  true. 

/^nd,  <^rom  lemmas  6.1  and  6.2,  we  have  -^hat,  for  continuations 

tha-^  map  related  values  +o  identical  output  files, 

M sf ?  >(<=;  c  :  s)  =  Ws  '  f  A>  (e  '  ;  c  '  ;  s  ' )  . 

Eu-^,  it  is  clear  that  if  Ms  produces  a  final  result  by 

applying  the  normal  continuation,  then  Ms'  must  produce  •'-he 

same  result  by  also  applying  the  normal  continuation,  so  we 

have  that  if 

MsfA>(e;c;s)  =  c(s1),  then  we  must  have 
Ms ' fA> (e ' ;c  '  ; s' )  =  c'(s1'). 

Finally,  from  lemmas  6,1  and  6.2,  we  can  show  that 

P(  (e,s1)  ,  fe'  ,s1'))  . 

Then,  by  applying  lemma  6.3  again  to  the  post-assertion  Q, 
the  theorem  is  true. 

0-.F.B.  theorem  6.1. 

Finallv,  we  er'=  ready  to  prove  the  main  theorem  of  this 

s^c^icn,  showing  the  eoui valence  of  Mu  and  M£'., 

•  ^^-ssum^  e-init  is  a  member  of  Fnv  and  Fnv'  such  tha-*- 
for  all  ideid, 

e-ini^'i:i>  is  Z2tc  =  true,  or 
^=-ini-'-fi>  =  b  or  e-initfi>  =  t, 
i.e,,  e-init  only  provid<=s  certain  i  irplementa  tion -def  ined 
func'-icns.  Then  for  all  v^eVal*  and  for  all  proueProa, 

Mpf  prcp>  (V’!')  =  Mp  '  f  prog>  (v*)  . 

Z222f  •  f^rom  4. 4. 5. 3,  we  have 

Z2^£I2322]!1  ?  vblock.>(v*)  = 

152^P22££2222  J  vblock;  begin  id  end> 

(e-init;  (s):sc;  (t,  v*,  nil)) 

and,  from  6. 2. 6. 4,  we  have 
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vblock«  >  (v  =*)  = 

Ms ’ <£ro cedur ?  id;  v block;  be^in  id  end> 

(9~iTiit;  (s):so;  (  (Loc  1)  :  (f  al  se  ,b)  ;  v=*,  S.ii)  ) 

From  ■*-h'=  definition  of  e-init  and  F  it  is  clear  that 

P  (  (  =  -init ,  (t , v*,nil) ) ,  (e- init ,  (  (Loc  1)  :  (f alse , b)  , v* rn il) ) ) 

and,  since  both  con  tin ua tic  ns  simply  return  the  our  put  f il? 

conpcnent  of  the  final  state,  it  is  clear  that  we  can 

immediately  apply  lemma  6.3  to  establish  the  theorem. 

0  .  F.  D.  -theorem  6.2. 

axioma-^ic  definition  is  valid  for  all  PA.SCAL 
subset  programs  with  respect  to  th^  model  provided  by  Fp' . 

6  ,  3  semantics  of  i,h e  f 

6, 3.  1  lUl to duct  ion 

W=  are  now  ready  -^o  discuss  three  possible  extensions  to  the 
PT^.SCAI  subset,  allowing  alcbal  variable  references  within 
orocedure  bodies,  jumps  out  of  procedures,  and  passing  array 
'•cmponents  as  variable  arguments  to  procedures.  In  each  case,  we 
./ill 

1.  argue  that  the  extensions  cannot  be  readily  defined 

using  the  semantic  model  of  Chapter  but  can  be 

directly  described  in  terms  of  -he  standard  semantics 
aiven  above,  and 

2.  show  that  difficulty  in  using  the  first  semantic 

model  to  define  he  ex-*:ension  is  indicative  of  a 
complication  in  th^^  appropriate  rule  of  inference  for 
the  extended  construct.  In  all  three  cases,  we  will 
show  that  modifications  are  reguired  in  the  axiomatic 
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definition  to  describe  accurately  the  proposed 

Gx+ension. 

siqnificance  of  this  analysis  is  twofold. 

■!='irst,  by  showing  tha+  these  extensions  cannot  be  easily 
defined  using  our  crioinal  model,  bu-^.  can  be  using  standard 
s^man-^ics,  we  are  in  effect  establishing  that  these  features  are 
mere  complex  than  -^hose  originally  included  in  the  PASO?-.!  subset, 
in  -^he  sense  -hat  -^he  defini-^ion  cf  the  cons-^. ruct  require s  a  more 
powerful  model  than  tha-*-  used  in  Chapter  4.  The  fact  that  we  can 
aive  an  in.-^erpreta-^ icn  of  the  meaning  of  the  "complexity"  of  a 
language  construct  in  *erms  cf  the  seman-^ic  model  required  for 
i-^s  definition  is  an  interesting  aspect  of  the  use  of 
mathematical  semantics,  furth'^r  justifying  ins  use  as  a 
ccmpl ‘=m~n narv  d‘=finition  ^echnigue.  Second,  *:he  fact  "^hat  thes= 
ex-^^nsions  -^o  the  language  require  major  extensions  +c  both  *he 
mathema-ical  model  used  in  Chapter  4  and  -l-he  axioma'*'ic 
definitions  suggests  that  the  original  semantic  model  used 
r  =  floct=d  accura-^ely  -^he  implicit  assumptions  cf  the  axioma-ic 
a  pproach. 

6.3.2  Global  variables 

W‘=  firs*:  consider  extending  the  PASCAL  subset  to  include 
global  variable  references  within  procedure  bodies,  consistent 
with  the  informal  s9man-*-ics  cf  procedures  given  in  f  Wirth  19739]. 
In  PASCAL,  as  in  Algol  6C ,  *-he  scope  of  variables  is  determined 
statically,  i.e.,  from  the  program  text.  Thus  in  PASCAL,  the 
following  program 


-  irr- 


ScopePuleExa  irple  ; 

V ar  X ; 

£I£cedure  prin*x; 

be^giii  vrite  x  end; 
procedure  newx; 
var  x ; 

x:  =  1;  prin+x  end; 
be^in  x:=C;  newx  end. 

prints  the  value  zero,  rather  ■*'han  one,  since  th®  variable 
r^^ference  to  x  within  prin^x  refers  to  the  global  x,  even  though 
printx  was  called  from  a  procedure  in  which  another  variable  x 
had  b=en  declared. 


To  allow  such  variable  references  within  proc‘='dure  bodies 
requires  only  minor  modification  to  the  standard  semantics  given 
fcr  orocedures.  In  section  6.  2.6.  3,  we  defined  prcc'^dures  as 
follows. 


id(id1=!'  :  id2*)vblock;  pblcck>  (e  ;  c;  s)  = 
if  ni3tinct(id1*)  £hen 
_if  Dis-^in ct  (id2*)  £b£n 

if  AssignsTo  (vblock ,id2*)  Ihen  t 
else  Ms ' f pblock> (er id  <-  p];c;s) 
else  t 
else  t 


P  (L22*  ^5  75  ^P5  sp)  : 

Ms' fvblock>  (6’[  id1=<'  <-  x;  id2*  <-  y;id  <-  p];cp;sp) 
where 

=  func  (_Td  i)  : 

if  ei:i>  i  §  122  1  ^fi>  is  Lai'  ilfill  2 

£l2€  if  si:i>  is  Func_x_Loc  then  efi>f1}  0  ]_c0  e^i'h 


“nd 

ow  -^o  ex-^end  the  semantics  to  produce  a  value  other  than  t  for 
procedure  calls  which  reference  global  variables,  we  need  only 
change  e'  so  that  it  does  not  "hide”  the  identifiers  fcr  which  e 
produces  a  loca-^.ion  value.  In  other  words,  the  e'  used  above  is 
simplv  r'^placed  by 


e'  =  func  (Td  i)  :  if  e<^i>  is  Lab  then  t  else  ‘=fi> 

(w<=  will  still  hide  labels  to  disallow  jumps  out  of  blocks)  . 
^ememb=r  that  the  environment  component  is  used  to  record  the 
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should  bs  cle=r  that 


static  bindings  of  namps  to  values,  so  it 
■^his  i  n-^  srpre  ta-*:icr.  of  procedures  is  consistent  with  the  informal 
descrip-^ion  of  PASCAL  procedures. 


Now,  le-^  us  consider  hew  this  same  extension  could  be  defined 
usinq  -he  seman-^ic  model  of  Chapter  4.  f^rom  our  previous 
discussion,  it  is  clear  that  the  definition  should  involve  a 
binding  in  th-^  procedure  value  formed  by  procedure  declaration. 
Pu-^,  remember  our  definition  of  procedure  blocks  in  Chapter  4. 

id(idl’!'  :  id2*)vblock;  pblock>  (e ;  c ;  s)  = 
if  Not  Tn  (idl  *  ,  id2*) 

if  List i net  (id T *)  then 
if  Dis-'-inc'^  (id2*)  then 
if  AssiqnsTo  (vblock  , id2 i.hen  ^ 

else  Nsfpblcck>  (er id  <-  p];c;s) 
p  L  s 
ilse  - 
1  s  e  t 

'ih.lL-  tec  func  p(Id*  x;  Arc*  y;  C  cp;  S  sp)  : 
begin  Ns<vblock>  (e ’ [ id  <-  pl;cp’;sp') 
whf  r  e 

=  func  (Id  i)  :  if  ^<i>  is  Lab  i.hen  i  else  e^i>; 
cp'  =  func(sl)  :  cp((spv[x  <-  s1vfid1=<'>,  sli,  slo))  ; 
sp'  =  (tfidi*  <-  spi!x>;  id2*  <-  y],3pi,spo) 

end 

Unfortunately,  the  only  possibilities  available  for  binding  in 
rhis  definition  ar^: 

T .  to  bind  tv^0  c-^ate  in  the  procedure  value,  i.e.,  use  the 
values  of  tpe  variables  at  the  time  of  procedure 
declaration.  The  earlier  example  shows  tpat  rhis 
approach  does  no*  give  the  reguired  semantics,  since  tpe 
values  of  qlcbal  variables  can  change  between  procedure 
declaration  and  procedure  call, 

2.  not  to  bind  the  state  within  the  procedure  body,  but 
inst<=ad  us=  tp-^  sta^e  passed  as  the  argument  of  each 
procedure  call,  i.e.,  change  the  previous  definitior  to 
be 
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ocedure  id(id1*  :  id2*)vblock;  pblockl^  (e ;  c;  s)  = 
if  Dist incf  (id  1 *) 

if  Distiiict  (id2*)  fhen 

if  Z'SsigTiSTc  (vblock  ,id2*)  then  ~ 
else  Msf  pblock>  (ef  i d  <-  p'j;c;s) 

^  1  se 
elsf  t 

L-£  P  x;  ArQ=<'  y;  C  cp;  S  sp)  ; 

^±51^  f sf vblock> (e *r id  <-  pl;cp';sp') 
where 

e'  =  func  (Td  i)  :  if  e'(:i>  is  Lab  then  ^  else  eii>; 
cp'  =  func(sl):  cp  (sir  id'’*<-3pvi:id1*>;  id  2*<-spv<i  d2*>  : 

X  <-  s  1  vf  id  1  *>  ])  ; 

sp'  =  sp[i'^1*  <-  spfx>;  ld2*  <'-  y] 

=nd 

aqain,  our  previous  example  shows  that  this  definition  dees 
rc-  cerresperd  to  th‘=^  sem,an-^ics  cf  global  variable  references  in 
Instead,  we  ge+  ■'■he  "dvnamic  scope”  of  languaoes  like 
■^NOBOIU  and  APi. 


I-'-  is  possibles,  however,  to  oive  a  semantics  us-ing  the  model 
c-^  Chapter  ^  which  dees  produce  the  appropriate  results.  Firs*, 
i we  assume  *hat  all  variable  identifiers  in  programs  are 
dis-'-inc*,  -^hen  it  should  be  clear  that  both  dynamic  and  static 
interpretations  of  -^he  scope  of  variables  give  the  same  results, 
because  no  clashes  of  names  can  occur.  Then  our  last  defini'^icn 
of  procedures  would  be  eguivalent  to  the  one  usina  standard 


s-man-':  ics. 

"hus  we  could  include 

in  *he  seman 

tic 

definition  a 

” prepa  ss” 

through  *he  program  ■" 

“^xt,  changing 

the 

ider;tifiers  so 

•'•ha'",  all  variables  are  distinct. 

In  doing 

sc. 

however,  the 

und'^rlying 

seman-^ics  no  long-r 

interprets 

the 

program  text 

dir^c-^ly,  which  was  one  of  the  motivations  of  both  *he 
mathematical  and  axiomatic  approaches. 

The  second  techniaue  is  also  a  cheat.  Using  the  technigue  of 
Gcdel-numbering,  we  can  obviously  encode  within  each  variable  in 
*he  current  state  the  values  of  the  variable  wi-'-hin  each  active 
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scope,  so  tha-^  procedure  calls  could  make  available  not  only  the 
most  r'^cer.-^  value  of  the  variable  in  the  state,  but  also  its 
pr^-vious  values  in  outer  scopes.  'gain,  such  an  approach  is  nor 
consistent  wi+h  •‘•he  in.'‘‘^Tntior,  of  giving  simple,  intuitivp 
s~man*ic  d=scr ipr ions, 

■"hus,  we  car.  see  rha-‘-  aivina  a  narural  semantics  for  global 
variable  refer=t.ces  ir  PASCAL  procedures  is  roc  complex  for  *he 
s  =  m3r*ic  model  of  Chapter  U,  By  a  rather  simple  araum-=r.*  we  car 
also  =how  •^ha-‘-  •‘■his  x-‘- n  si  or  reguires  a  significant  change  in 
"he  rul=  inference  for  procedure  declara*ion  given  in 

A.uain ,  •‘•he  problem  arises  because  •‘■he  semantics  of  the  construct 
sugaesrs  that  a  dis-‘-inc-ion  should  be  made  between  the  Icca-^^ion 
d<^no-:-d  bv  a  variabl-^  and  the  value  stored  at  the  Iccarion,  and 
"he  ass!^r^‘:ion  i^.nguag«=  us'^^d  in  ■^he  axiomatic  definition  does  no" 
allo'w  such  a  distinction  -■o  be  made. 

^sm^mb<=r  that  the  rule  of  inference  for  procedure  dec  lara  ■‘■ion 
was  th=  following, 

{?■}  pfx^tv’^)  |-  fP}  vblock  {H}  , 

{Ph  {F}  I-  pblcck  {R*} 

fp'l  p(x*;y*)  ;  vblock:  pblock  {P  ’ } 

wh^^^re  ■‘■he  assertions  P  and  ?  are  only  allowed  to  refer  to  rhf^ 
parame“=rs  x^  and  y*  and  ~h‘=  inpu-‘-  and  ourpu-^:  files.  Obviously, 
i we  wish  -"c  allow  global  variable  references  in  procedures,  w<^ 
mus^^  ey"<=nd  P  and  F  *o  refer  to  any  free  variables  appearing  in 
"h"  proc-^durc  body  vblock,  i.e.,  to  any  global  variable 
r-f'rences.  "^he  problem  with  this  is  tha-  the  body  of  th- 
procedure  block  (pblcck)  may  contain  declarations  of  these  free 
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variables,  which  makes  the  assertions  P  and  B  invalid  for  stating 
the  orooerties  of  the  procedure  within  the  block  body. 

For  example,  consider  our  earlier  example: 

program  ScopeBul'^Fxa  mple  : 
yar  x ; 

Piocedure  pri.ntx; 

begin  write  x  end ; 
procedure  newx; 
yar  x; 

x:=1;  printx  end; 
begin  x:=C;  r.ewx  end. 

Usin.g  the  axiomatic  system  of  Chapter  4,  we  car.  produce 
fcllcwinq  derivaticn, 

(1)  fx=1}  begin  wrii^e  x  end  font  f tout]  =  1}  [writel 

(2)  fx=l}  printx  {out {tout}  =  I]  [assump.  } 

(?)  {true}  ya^r  x:  begin  printx  end  {our  {tgu*}  =  1}  [2, ass.,  sea.,  v.dec.} 

(4)  f-^rus}  newx  {cu*  {tout }  =  1}  fas  sump.] 

(5)  {true}  begin  x:  =  0;  newx  end  {out  {tout} = 1}  {4, ass.,  seq.] 

(6)  {true}  2F£cedure  newx;  ...  ^nd.  {ou- { tout} = I} 

[4,5,  p. decl .  ] 

("’)  {true}  £rccedurf  printx;  ...  en^.  {out  {tout}  =  1} 

[2,6,  p. decl .  ] 

(B)  {true}  program  ...  ond.  {gutfl}  =  1}  {7,  v.decl.,  prog.] 

However,  using  •*'he  informal  definition  of  the  semantics  of 
PASCAL  aiven  in  [Wirth  1973a],  we  would  expect  that  actually 
ex=cu*ing  the  program  in  a  correct  implementation  would  cause 
z=ro,  rather  than  one,  be  printed.  The  trouble  with  the 

previous  derivation  lies  in  the  use  of  the  procedure  declaration 
rule  in  (6).  Recaus^^  of  the  local  declaration  of  the  variable  x, 
the  assump-^ion  of  line  (2)  no  longer  describes  the  execution  of 
‘he  procedure  printx  within  the  context  of  the  body  of  newx  (note 
that  -^.his  assumption  is,  however,  valid  for  calls  within  the 
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stateroor.t  following  the  declarations  of  printx  and  newx)  .  Thus, 
i-^_  seems  that  to  make  th":^  rule  of  inference  for  procedure 
declarations  valid  when  global  variable  references  are  allowed, 
w=  must  quarantee  that  the  assumptions  abou-^  procedure  calls  are 
sufficien*  to  preven-^-  their  improper  application  in  any  ccn'^^xt 
in  which  a  call  may  occur. 

One  way  -^o  change  the  axiomatic  definition  +o  quarantee  that 
such  namir.q  conflicts  will  not  ^rise  is  to  p'^rform  substitutions 

n«^w  identifiers  for  prcqram  variables  in  the  prooram  text,  as 
was  proposed  <=arlier  in  this  section.  The  rule  of  inference  for 
variable  d eclara-^  i ons  then  becomes 


fP<7/X>}  S+m'^<7/X>  {P<z/x>} 


stmt  end  {P.} 


w  he 

re  2d 

oes  not  occur  fr^^*^ 

in  P,  F,  or  stmt. 

Thr^n  cur  pr ' vicus 

d  ar 

i va* ion 

would  be  r'^placed 

by 

(1) 

fxO=f } 

beqin  wri-^'^  xo  (=nd 

[write] 

(2) 

{xO=0d 

printx  (2111  “ 

C} 

{ assump.  ] 

(3) 

{xO=Cl 

begin  x':=d; printx 

22^  (22i  fl222}  } 

f  2 ,  ass.  ,  se q.  ] 

{^) 

fxo=ri 

yar  x;  tfgir  y:=1; 

print- X  end  {out  {*ouo}  =0) 

[  3 ,  V.  d  eel.  ] 

fxO=Cl 

newx  {cut  f  ^ou-^  1  =0} 

{ assump.  ] 

(f) 

ftrue} 

bee in  xO:=C:  newx 

end  {cut {»ou t} =0} 

[  5 ,  ass ,  ,  se  q.  ] 

O) 

{^rue> 

procedure  newx:  beqin  xO:=0;  ...  end 

(222  (2222) 

[5,6-,  p.  decl ,  ] 

(3) 

{trued 

procedure  printx: 

begin  ...  x^ : =0  . . . 

end .  {ou {*out]  = 
{2,7,  p. decl .  ] 

r) 

f  •^rue} 

f23Jl.C3}=C} 

r  8 , V . decl. ,  proq 

which  corresponds  to  *h=  informal  semantics  of  th‘=  Pevised  PASCAL 
^-port.  However,  •*-h‘=  ^ule  of  inference  for  variable  declarations 
now  involves  a  subs-^ i tu*  ion  in  th^  proqram  text,  something  which 


w*  have  avoided  in  all  the  previous  definitions  given  in  this 
•^hasis.  Thus  it  seems  that  the  same  increased  complexity  that 
appeared  in  attempting  to  define  •'■hese  extended  procedures  in  our 
earlier  mathematical  model  also  appears  in  the  attempt  tc  give  an 
axioma-^.ic  semantics  of  these  more  general  procedure  bodies. 

6,3,3  durop £  out  of  £ro cedu r es 

In  Chapter  4,  ve  saw  that  cur  use  of  continuations  +-o  save 
and  res-^.ore  the  values  of  variables  required  that  we  no-^.  allow 
iumus  ou-^  of  procedures  (cr  functions).  In  this  section,  we 
describe  how  such  lumps  can  be  handled  usino  the  standard 
s~man*ics  of  *he  PASCAL  subse-^  and  discuss  the  effects  of  such 
jumps  on  the  axioma-^ic  definition  given  in  Chapter  4, 

As  is  pointed  cu+  in  [Wadsworth  and  Strachey  1973 j,  ‘he 
technique  of  using  cor + in uat ions  in  the  semantic  definitions  is 
powerful  enough  •‘•o  define  a  wide  variety  of  jumps,  including 
”-rror’*  exits  from  prccf^dur^s  and  functions.  In  fact,  the  only 
chanae  that  would  be  required  in  our  standard  semantics  of  the 


PASCAL  subse*  is 

simply 

not 

tc  "hide" 

label  values  ac 

r  oss 

crccedure  bourda 

r  i  9  s  • 

Since 

label 

declarations  bind 

the 

environment  tc  the 

body  of 

t  he 

St  atemen-^ 

associated  with 

+  he 

label,  it  is  clear  tha-^  jumps  out  of  procedures  and  functions 
would  cause  execution  of  -^he  label  body  using  the  environment  at 
‘he  time  of  declara-^ion  of  the  label,  regardless  of  whatever 
environment  was  in  use  tc  evaluate  the  procedure  or  function  body 
urior  *o  the  execution  of  the  jump.  Thus,  the  new  semantics  for 
procedure  declaration  "^o  allow  such  jumps  would  simply  be 
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ure  id(idi*  :  id2*)vblcck;  pblock>  (e ;  c;  s) 
if  Distinct  (id1 *)  th^n 
if  Distinct  (id 2*)  then 

if  AssiansTo  (vblcck  ,  id2’'')  then  t 
Ms ' f pblcck>  (ef id  <-  p];c;s) 

else 


else  f 

P  (Loc*  x;  y;  C'  cp;  S’  sp)  ; 

begin  M  s  ’  <  vblock>  (e  ’  f  i  d  1 ’i'  <-  x;  id2*  <-  y;id 
wh<=re 


<-  pl;cp;sp) 


(Id  i)  : 

if  efi>  is  Loc  then  t  else  if  '=‘fi>  is  Func_x_Loc 
fhen  ^fi^  {1}  else  e1^i> 


end 

and  *he  definition  of  goto  would  remain  as  above. 

Th^  fact  -^hat  i-^  was  necessary  to  restrict  such  exi'^s  frcm 
our  earlier  ma-*:hematical  d-^finiticn  suggests  that  this  construct 
also  causes  problems  usinq  axiomatic  semantics.  As  with  global 
variables,  this  is  indeed  the  case.  And  again  -he  proM<^m  is 
t  ha-  ^  h“  rule  of  i  nf  ==r  <=r,  ce  for  la  be  1  decla  ra-^  ions  is  insufficient 
-o  prevent  *-he  misapplication  of  -^he  assum^=d  properties  of  the 
lab=l  value  in  contex-^s  in  which  they  are  not  valid. 


■Pcr  example,  consider  the  PASCAI  code  f ragmen"^ 

program  labelProblc-m; 
yar  errortype; 

label  error:  wrife  '^rrortyp‘=; 

FrrorFxit; 
yar  errortyp<^-; 

bygin  error type : =2 ;  goto  error  end; 
begin  f rr crtype : =1 ;  FrrorFxit  end. 

This  program  obviously  should  print  the  value  one.  Yet  using  -^he 

axioma-.ic  definition  of  Chapter  we  can  derive  the  following: 

(1)  f  =  rrcrt vpe  =  2}  write  errortype  {ou t  {£out} =2}  [writ*] 

(2)  {errcrtype  =  2}  goyc  error  [false]  [assump.  ] 

(3)  [error type  =  2]  gofg  error  [out  [#ggt} =2}  r2,conseq.] 

(^)  [true]  yar  errortype;  begin  ...  end  [ou t  [#gut} =2} 

[3,ass.,seg. ,v,d6cl] 

[-^ru*]  FrrorFxit  [out  [#out}  =2}  [assump.] 
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(6)  {*:rue}  bG^in  ...  rrrorExit  end  {ou  t  {#  o  ut}  =  2}  [5,ass.,seg.  ] 

(7)  {true}  ^rograro  ...  end.  {out f tout} =2}  [2,U,6,  p.dpcl., 

l.decl,  v.decl] 

Again,  the  problem  is  that  step  (U)  of  +he  proof  involves  an 
auDlica-*- ion  of  the  rule  of  inference  in  a  context  in  which  it  is 
invalid.  The  tru-^h  of  the  assertion  {9rrortype=  2}  inside  the 
block  of  the  procedure  does  not  guarantee  its  truth  outside  of 
the  procedure  body,  because  of  the  multiple  declarations  of 
errortype.  As  with  global  variable  references,  the  axiomatic 
system  does  net  allow  -^.h^  construction  of  assertions  which  are 
sufficien-t  to  guarantee  that  they  can  only  be  applied  in  proper 
con-tpxts.  And,  aqain ,  the  change  necessary  to  the  axiomatic 
definitions  to  disallow  such  possibilities  is  changing  the  rule 
of  inference  for  variable  declarations  to  perform  substitutions 
of  new  identifiers  in  "rhe  body  of  -the  program  tex-^. 

.A  point  of  interpst  abcu-t  the  preceding  discussions  of  global 
variables  and  escapes  from  procedures  is  tha-t  we  have  provided  a 
partial  answer  -to  a  guestion  raised  by  Lauer  in  [1971],  He  noted 
that  for  his  "Algol  fraomenr”  the  rule  of  inference  for  variable 
declarations  given  in  Chapter- a  was  sufficient,  and  guestioned 
how  far  the  lanauage  used  in  his  -t-hesis  could  be  extended  before 
i'  was  necessary  to  Introduce  rules  of  inference  involving  more 
than  textual  substitutions  in  assertions.  By  using  mathematical 
s'^man'^ics  as  a  complemen-^ar y  definition  technigue,  we  have  been 
able  -.0  recas-^  this  guestion  in  terms  of  when  the  simple  model  of 
seman-^ics  used  in  Chapter  4  is  insufficient  to  define  a  language 
construct.  And,  for  at  least  two  fairly  common  language 
■^^arures,  we  have  been  able  to  provide  an  answer. 
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6  .  3.  4  Arrajj  elements  as  variable  arguments  to  procedures 

The  final  extension  to  *h€  PASCAL  subset  that  we  will 
consider  is  that  of  allowing  array  elements,  as  well  as  complete 
array  values,  to  appear  in  the  list  of  variable  arguments  in  a 
procedure  call.  Again,  we  first  show  the  implications  of  the 
ex-^ension  in  the  mathem a-^ical  definitions,  and  then  the  changes 
r^guired  in  the  axioma-^ic  defini-^ion  to  define  this  extension 
accura-ely. 


In  this  cas-,  unlik‘='  our  previous  extensions,  a  change  in  the 
svr.-^.ax  of  the  lanouage  is  required.  Ramember  that  our  earlier 
svntax  of  procedures  calls  was 


id  (id’*':  var g’*')  , 

which  allows  only  identifiers  as  variable  arguments.  Thus,  to 
allow  array  elements  as  variable  arguments,  we  first  extend  the 
syn-ax  of  statemen*s  to  allow 

id  (var’*' :  varg*) 

as  allowable  procedure  desianators.  To  refresh  the  readet's 
memory,  the  <=xtended  syntax  of  statements  is  defined  by  the 
following  domains  to  include  the  new  procedure  designators. 


Var  =  Id  +  [Id  x  Ixp ] 

ftmt  =  null 

t  r  0022  X  I d  1 
+  [Var  X  Lxpl 
t  [read  x  Var] 

+  [write  X  Pyp] 

+  [Id  X  Id=^  X  Vara*] 

+  [  Fxp  X  Stmt  X  Stmt] 

+  r  Ixp  X  Stmt] 

+  [Id  X  Pxp  X  Fxp  X  Stmt] 


variables 

empty  statement 
goto 

assignment 

read 

write 

procedure  designators 
conditional  statements 
while  statements 


for  statements 

+  [  Stm-^  X  Stmt]  statement  seguences 

+  [begin  x  Stmx  x  £nd ]  compound  statements 
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Again,  this  extension  causes  little  problem  using  standard 

semantics.  Since  we  have  defined  array  descriptors  as  being  of 

type  Tnt->Ioc,  *o  provide  =  loca-^ion  as  a  variable  argument,  we 

need  only  evaluate  the  subscript  expression  and  apply  the  value 

produced  to  the  array  descriptor  to  produce  the  loca+icn  referred 

to  by  the  variable.  Thus  our  new  standard  semantics  for 

procedure  call  becomes  the  following. 

rs'fid  (var*: vara’*')  >(e;c;s)  = 
if  e<id>  is  Proc’  then 

if  Distinct (locOf (var e ; s)  )  ihen 
l^t  a  =  _5;a  '  f  varg*>  (e  ;  s) 

in  (vnlns  •  ‘?fid>(LocOf  (var*;e;s)  ;a;c;s) 

else  1: 
f Ise  t 

where  the  function 

locOftVar  ->  flnV  ->  [S’  ->  loc]] 

is  defin-d  by 

LccOf  (v;  e  ;  s)  = 
if  v  is  _Id  thfn 

if  '=“<v>  is  loc  then  ei^vl 

ii  is  Iunc_x_Lcc  i.hen  e1^v>{2} 

else  t 

niin  ii  V  is  Id_x_Ixp  then 
b»ain 

111  ^sl  ~  nr' (2}  >  to  Jnt 

in  (nnlns  vai) : 

if  is  Loc  fhen 

if  s_tag (a<v f11 >)  then 

if  s_val  ( =  <v  f  11  >)  is  II-t->Loc 
nlinn  s_val  (‘=i:v  {1}  >)  (val)  else  i 
else  t 
else 

f  nd 
els— 

Again,  we  will  use  -^he  obvious  extension  of  LocCf  applied  to 
lists  of  variables. 


To  extend  our  earlier  model  to  handle  the  proposed  extension 
reguires  more  work,  but  does  not  necessitate  any  textual 
substitutions  in  PASCAL  subset  programs.  We  can  represent  array 
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parameters  in  the  model  used  in  Chapter  4  as  follows,  but  it 
necessitates  changing  the  definition  of  the  meaning  of 
procedure  s , 

Vr  =  Id  X  fid  X  Int]  variable  arguments 

Proc  =  Vr*  ->  [Arg*  ->  fC  ->  [S  ->  s]]] 

and  chancing  "^he  definition  of  both  procedure  call  and 

declaration  the  followinq. 

Msfid  (var * : varq*) >  (e ; c ; s)  = 
if  -<fid>  i,s  Proc  ^her 

if  Distinc-^  (VarOf  (var  * j ;  s) )  l;hen 
s  ~  Waf varo*> (e ; s) 

in  (value  a):  ef id> ( VarOf (var*) ; a; c; s) 
else  ^ 
else  t 

where  VarOf  is  defined  by 
VarOf(v;e;s)  = 

if  V  i§  fiin 

el  s  e 

ler  val  =  Mef  v  (2)  >  (e  ;  s)  tc  Iri_^ 
in  (nninf;  val)  :  (v(1}  ,  val) 


id(id1*  :  id2*)vblock;  pblock>  (e ;  c ;-s)  = 
if  Distinc-t- (id  1  *)  ^hen 
if  Pi stinct  (id 2*)  then 

if  AssignsTo  (vblock ,id2*)  then  t 
else  Msf  pblock>  (ef  id  <-  p‘);c;s) 
e  1  s  ^ 
else 

innn  p(Xn*  fns*  y?  f  f  ^p)  • 

if sin  Wsf vblock>  (e'fid  <-  r];cp';sp') 
where 

’  ~  iniif  di  -)  *  if  in  Lab  then  t  else  efi;^; 

<^P'  =  illllf(s1):  cp  (Peplace  (sp;  X  ;  si)  )  ; 
so’  =  (^[idl*  <-  ValOf  (x;sp)  ;  id2*  <-  y],  spi,  spo) 

end 

where 

ValOf  ( vr ; s)  = 

if  vr  is  Id  then  sv^vr> 
e  1  s  ^ 

if  sv<vrC1)>  is  Iri:->Val 

_ihen  svfvr  {1}  >  (vr  {21 )  else  1 

and 
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Beplace  (s  1 ;  vr ;  s2)  = 

if  vr  is  Id  then  s1[vr  <-  s2vfvr>  ] 

else  s1[  vr  {1}  (vr  {21 )  <-  s2v^vr  {1}  >  (vr  {2}  )  ] 

Aqair. ,  we  use  the  ex-^ensicns  of  ValOf  and  Peplace  to  lists  of 

variables . 


The  rnaior  differences  between  our  earlier  definitions  of 
urocedures  and  those  given  in  this  section  is  in  the  tests  for 
distinct  variables  occurring  in  the  procedure  call  definitions. 
In  the  earlier  definitions,  these  tests  were  of  •'■he  form 

if  Distinct  (id*)  then  ... 

where  the  arguments  to  Distinct  were  all  elements  of  syntactic 
domains.  This  test  also  appears  explicitly  in  the  axiomatic 
definition  in  the  restriction  on  the  application  of  the  procedure 
call  rule  of  inference  no  those  procedure  calls,  where  all  of  the 
variable  argumen-^s  are  required  to  be  distinct  identifiers. 


The  following  example  shows  the  problem  involved  with  using 

th“  procedure  call  rule  if  the  variable  arguments  are  no"^ 

distinct.  Consider  the  following  PASCAL  code  fragment. 

£I2cedure  D(x,y:); 

X : = 1  end ; 

var  a , b; 

a:  =  2;  p(a,a:)  end 

Bow,  if  we  disregard  the  requirement  that  variable  arguments  be 
distinct,  we  can  use  the  axiomatic  definition  to  prod uce  th'^ 
fcllcwina  derivation. 


('')  fy=2}  begin  x:  =  1  end  {x=1  and  y=2} 

(2)  {y=2}  p(x,v:)  {x=i  and  y=2} 

(3)  ftrup}  a:=2  {a=2} 

(U)  {true}  a:=2;  p(a,a:)  {a=1  and  a  =  2} 


r  assign.  ] 

[ asEump.  ] 
[assign.  } 

[2,3,  pr oc.  call 


OOPS! 


The  cause  of  this  difficulty  is  readily  understood  in  terms 
of  the  proof  of  lemma  6.1.  Fememher  that  to  show  the  standard 
s<=man“ics  eouivalent  to  our  earlier  semantics  for  all  label 
blocks,  it  was  necessary  to  restrict  the  environments  used  in  the 
standard  semantics  to  those  which  mapped  distinct  identifiers  to 
distinct  locations;  o-^herwise,  the  -^wo  definitions  could  produce 
dif-^er^nt  results  for  assignment  starements.  And,  from  cur 
standard  semantics  for  procedures,  we  see  that  one  way  in  which 
vf':  could  produce  an  environment  in  which  identifiers  "shared” 
same  lcca":icn  is  to  pass  the  same  argument  as  more  •^han  one 
variable  araument  to  a  procedure. 

To  disallow  -^his  possibility,  we  can  use  or=>  of  two 
arproaches.  The  obvious  approach  is  simply  no  reguire  tha"-  all 
array  ■^l'=>men-^  variable  arauments  be  from  distinct  arrays.  This 
approach  would  aaain  allow  the  +ests  for  distinct  vari-ables  in 
■^hf=  ma*hema*ical  de-f^ininions  to  bs  given  in  ternrs  of  applications 
of  Dis-^inct  *o  elemen  +  s  of  syn^acnic  domains,  and  could  be 
‘^imilarlv  stared  as  a  syn-^a.cn:c  restriction  on  applications  of 
■^he  procedure  call  rule  of  inference  in  the  axiomatic  definition, 
Not=,  however,  -^hat  this  approach  would  disallow  a  ra-^her  large 
class  of  procedure  calls,  including  some  which  are  obviously 
valid  ,  like 

p(ari],  a[21:)  . 

The  other  possibility  is  to  attempt  to  extend  rhe  axioma'^ic 
definition  to  handle  -^he  full  generality  of  the  procedure  calls 
defined  abov'^.  We  nc-^.e,  howf^ver,  that  since  we  can  no  longer 
*:-st  for  distinct  variables  using  elements  of  syntactic  domains 
in  *:he  mathematical  definitions,  we  must  extend  the  axiomatic 
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definition  for  procedure  calls  to  include  such  a  test  as  part  of 
the  p re- assert  ion  for  the  rule.  The  difficulty  with  this  is  that 
such  a  pre-assertion  is  difficult  to  construct  using  our 
asser-^ion  language.  Pelcw,  we  present  an  extended  rule  of 
inference  for  procedure  calls  which  allows  array  elements  as 
variable  arguments,  but  imposes  the  restriction  that  the  arrays 
r^f^renced  in  the  nrocedure  call  be  placed  in  some  ordering.  The 
pre-assertion  includes  the  test  for  distinct  arguments  similar  to 
•^har  made  in  cur  second  definition  of  these  extended  procedures. 

{P}  p(x*:y*)  {P} 

f^ra[  i  Vx1  ,.  .  .  ,a[  im  Vxm  ,b[  j1  l/xm+l , .  .  ,  ,b[  jk  ]/xm+k  ,  e*/y’*']  and 
i  1  ^  i2  and  ...  } 

P(a[a1],  ...  a[im],  b[ji],  ...,  b[1k]  :  e) 

f^r  af  i  1  l/x  1 , .  . .  ,b[  jk  ]/xm+k,  e*/y*  ]} 

where  neither  a  nor  b  anpears  in 

1.  ii,...,im,  or 

2.  ii,..,,ik,  or 

3.  any  of  the  e*  expressions. 

6 , 4  Type^  and  ran pe^c heck Ing  in  PASCAL 
h . 4, 1  lYEa-checkinp 

One  of  -he  mador  arsas  of  PASCAL  which  has  not  been  trea'^^ed 

in  -he  PASCAL  subset  is  the  definition  of  type-  and  range¬ 
checking.  In  -^his  section,  we  will  conclude  cur  discussion  of 
=  x-ensions  to  -he  lar.gauge  by  giving  a  sketch  of  how  our 
manhematical  semantics  could  be  extf^nded  to  provide  a  more 
accurate  description  of  these  notions.  Additionally,  we  will 
comment  on  some  of  the  controversy  about  types  and  subranges  in 
PASCAL  r  Hab'^rmann  1P73,  Lecarme  and  Desjardins  1974  ]  in  terms  of 
our  ex*:ended  mathematical  model. 
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The  easiest  way  to  understand  the  extensions  to  the  semantic 
model  to  define  type-checking  is  fn  terms  of  the  treatment  of 
errors  in  our  earlier  definitions.  As  an  example,  consider  the 
'PPSC'hl  subset  code  fraament 

if  true  then  null  else  a[ false]  : =  0  f i 
Since  wc  only  allow  integer  subscripts,  the  statement  is 
obviously  invalid  and  should  produce  an  error.  Yet,  in  terms  of 
the  mathematical  definitions  given  in  this  chapter  and  Chapter  4, 
can  easily  show  ■^hat  •‘•he  meaning  of  the  preceding  and 
s'^a-emen-^-  and  null  are  equivalen-*-  and  certainly  rot  an  error  for 
arbitrary  environments,  con-^inuat ions,  and  states  (or  stores). 

It  we  view  th^^  mathematical  definitions  in  an  operational 
sense,  -^he  difficul-^y  with  the  preceding  definitions  becomes 
clear<=r.  The  cases  producina  error  in  the  mathematical 
•definitions  are  determined  "dynamically,"  i.e.,  from  the 
:  nt-rnre-i-a-^-icn  of  ■‘•he  seman-^-ic  eouations  for  particular  values  of 
•‘•he  arguments.  And,  if  certain  subformulas  of  the  meanino 
eouatior.s  are  not  us'^d  in  aiving  the  value  of  the  final  output  of 
'h'^  program,  ther  the  fact  that  these  subformulas  may  be 
seman •‘: ically  "meaningless"  is  irrelevant  in  determining  this 
final  valu<=. 

In  cur  PASCAL  subse-^-,  there  are  •‘two  major  ways  in  which 
s^man-^-ically  erroneous  subformulas  may  be  made  irrelevant  in 
det-rmining  •‘:he  cutpu^^r  of  a  PASCAL  code  fragment: 

1.  an  Grronf^ous  statsmen-^-  is  a  component  which  is 
conditionally  execu-‘:ed.  In  addition  to  our  previous 
example  of  an  if  statement,  errors  could  also  remain 
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"hidden"  in  while  and  for  statements,  where  the 

statement  bodies  may  never  be  executed. 

2.  an  erroneous  statement  may  also  be  contained  in  a 
procedure,  function,  or  label  declaration  which  is  never 
referred  to  in  the  program  body,, 

To  extend  our  PASCAL  subset  definitions  to  handle  erroneous 
urograms  ccnsis'*'en*  with  the  informal  notions  of  “^ype- checking 
aiven  in  the  Revised  PASCAL  Report,  we  must  extend  both  th^ 
language  (to  allow  associations  of  types  with  identifiers)  and 
■^he  semantic  model  -^o  record  ■*'hese  associations  and  to  examine 
*he  program  for  the  consistency  of  the  type  of  a  name  and  its 
usage  within  -^h^^  program  text.  A.  complete  description  of  "^he 
ra+her  complex  PASCAL  "^ype  structure  is  given  in  f-etP^nt  1975  ]. 
H‘=re  we  will  consider  only  a  rather  simple  subse-^  of  full  PASCAL 
'C  shew  how  our  earlier  semantics  could  be  extended  *o  provide 
sta'-ic  type-che eking  and  how  the  proofs  of  Chapter  5  woul d  b=^ 
affected  by  •'■he  extension. 

To  <^xtend  ■'■he  PASCAL  subset  language  to  allow  '^ype 
specification  for  names,  we  extend  the  syntax  of  declarations  as 
fellows. 

<-'^ype>  ::=  integer  |  boolean  |  integer  array  |  boolean  array 

<'':VDed  identifier  list>  ::=  <empty> 

I  <type>  <i den-'^  if  ier> 

f,  <type>  <ident if ier>} 

<-^yppa  procedure  blcck>  ::=  <typed  procedure  block  heading>; 

<typed  procedure  block>; 

<typed  variable  block> 

I  <-'^yped  procedure  block  heading>; 
<ty ped  variable  block> 

<-^yped  variable  block>  ::=  yar  <identifier  lis-':>:  <type>; 

<label  block> 

I  <label  block> 
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<-^yped  procedure  block  headir-g>  ::  = 

<ideTit ifier>  (<typed  identifier  list>  : 

<typed  identifier  li£t>) 

1  f  unct  ion  <id€ntifi6r>  (<typed  identifier  list>) 

I  ^2212211  £2221222  <id  ent  if  ier>  (<typ9d  identifier  list>) 

<typed  prograin>  ::=  program  <identifier>; 

<typed  procedure  block>. 

Now,  to  qive  the  semantics  of  our  new  typed  programs, we  will 
use  a  n  =  w  domain,  th‘=  "static"  or  "type"  environment,  in  the 
ir-^er pret ation  function  to  record  the  types  of  identifiers. 
Thus,  our  new  semantic  domains  will  include: 


E-*:  ype 
P  t  ype 


(1221 /  i2l •  r  2212222^) 

Ptype«  X  E^.ype’!' 


basic  types 
procedure  types 


The  typ^  of  a  procedure  is  the  type  of 
each  parameter. 


p-ypc  =  f bool ,  ini)  X  P-^.ype* 


function  types 


The  type  of  a  function  is  the  type  of 
■^he  returned  result  and  the  type  of  each 
argument , 


U^dec  =  {ud} 


undeclar  ed 


Type  =  P-^ype  t  ptype  +  Ftype  t  Undec  +  label,  types 


S<=^nv 

=  Td 

-> 

Type 

static  0 

r  ty  pe 

^nvircnm 

'^nts 

the 

new 

ype 

-checkin 

g  se 

man 

ic 

f 

unc-t-  ions 

will  be  of 

type  : 

Mf-  : 

Fxp 

-> 

[Senv  -> 

f 

V  - 

> 

[ 

s 

->  Val]]] 

221  • 

Vara 

-> 

r  Senv  - 

>r  Fn 

V  - 

> 

[ 

s 

->  ?-rg]]] 

Mst  : 

Stm-^ 

-> 

r  S°nv  - 

>  TF 

nv 

- 

> 

rc 

->  [ s  -> 

Val*  ]11] 

2£l  : 

Tproa  - 

>  rvai* 

->  V 

al* 

e  Tpr 

og  is 

th 

e  syntac 

tic 

dOK 

a 

in 

0 

f  typed  programs. 

Father  thati  presenting  the  complete  semantics  of  our  new 
•^yped  PASCAL  subset,  we  will  simply  describe  the  general  form  of 
the  definitions.  The  basic  idea  in  giving  the  clauses  of  Met, 
Mat,  and  Mst  appears  in  sev<=ral  places  [J.  Morris  196F,  Ledgard 
1°71,  Tennent  1975].  Essentially,  we  can  define  two  functions: 
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TypeCorrectFxp:  Exp  ->  [ Senv  ->  Bool] 

and 

TypeCorrectst mt :  Stmt  ->  [Senv  ->  Bool] 
such  that  they  produce  true  iff  the  expression  or  statement  is 
correct  with  respect  •‘-o  the  current  type  environment,  i.e,,  no 
t 70“  conflicts  occur  between  declarations  and  usage  of 
identifiers.  Then,  for  each  statement  and  expression,  we  can 
define  Wst  and  Eet  by: 

21st<stm-^.>  (se  ;e  ;c;  s)  = 

if  TypeCorrect Stmt  (stmt ; se)  then  Msf stmt>  (e ; c ; s)  else  t 


l^eri^e xp>  (se ;  e ;  s)  = 

if  TypeCcrrectExD (exp  ; se)  then  fe^exp>(e;s)  else  t 
We  present  the  clauses  of  ^he  definition  for  *he  typed 
declarations  given  above  and  for  programs  to  complete  our 
description  of  the  ex-^ended  semantics. 

id([btYpe1  id  1  ]♦:  f  btype2  id  2  ]*)  ;  vblcck ;  pblock;:^  ( se ;  e  ;  c ;  s) 
if  TyDeCorrectStm*- (vblock  ;se  1) 

lilfH  If  TypeCorrect  St  mt  (pblock ;  se2) 

then  Ms^Erocedure  id  (id  1 : id2*)  ; vblock ; pblcck>  (e ;c ; s) 
else  t 
else  t 
where 

se  1  =  sef  id  1  *<- btype  1* ;  id2*<-b'^ype2*  ;  id<-[  btypel x  btype2’<‘]]; 
s<=2  =  se[id  <-  fbtypel*  x  btype2*]] 


id([btype  id]*);  vblock;  pblock>  (s  e  ;  e  ;  c  ;s)  = 
if  TypeCorrect Stmt (vblock;se1) 

if  TypeCorrec+Stmt  (vblock;  S92) 
then  Msffuncticn  id  (id*)  ; vblock; pblock> (e; c; s) 
else  t 
else  ^ 

where  se 1  =  seridT*  <-  btype*;  id<-fbtype  x  btype*]]; 
se2  =  sefid  <-  [btype  x  btype*]] 


Mst<id:  stm* ;  lblock> (se; e; c; s)  = 
if  'TypeCorrect S-^ mt  (St  mt  ; se) 

if  TypeCorrectStmt  .(lblock;se[  id<-label  ]) 
then  Msfid:stmt;  lblock> (e;c ; s) 
else  t 
else  ^ 
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vblock.>(v*)  = 

if  TypeCorr^^ct  (vblock.  ;  (Id  x)  :  ud) 
fh2,n  MEfErogram  id;  vblock,  >(v*) 
el^_a  f 

Fortunat 1  y ,  the  addi-*-ion  of  type-checking  to  our  P?iSCAL 

eubse-^  has  only  a  minor  eff^^ct  on  the  proofs  of  consistency  given 

in  Chapter  5.  Since  we  gave  an  inre rpretat ion  of  axiomatic 

formulas  involving  only  par-^ial  correctness,  the  fact  that  some 

syn-^ac*:ically  valid  statements  may  be  erroneous  can  be  <=asilv 

handled  by  a  simple  modification  of  our  interpretation  of 

ax'oma*ic  formulas.  Tf  we  use  the  typed  PASCAL  subset  as  cur  new 

lanauage,  w?  must  define  {P}  A  {0}  as 

Vse  ¥s  rP(<^;s)  =>  Vs'  Vc  F  ?t  f  A>(se  ;  e  ;  c ;  s)  =  c(s') 

=  >  0  (€;s')  ]. 

A.11  of  the  proofs  in  Chap-^.er  5  obviously  remain  valid  using  this 
i  n-^'^r  pret  a  tion ,  since  -^h.f^  only  major  change  is  for  more  cases  to 
produc=  *  for  the  valu^^  of 

Mstf  Al^  (se  :e  ;c  ;  s)  , 

^A'^CAL  also  allows  the  definition  of  a  type  as  a  subrange  of 
a  larger  "^ype.  For  ^-xample,  we  may  define  the  variable  v  *:o  be 
of  type  integer,  bu-!-  only  capable  of  storing  values  from  1  to  10, 
bv  'he  declaration 

ya  r  v  ;  1 .  .  1  0  ; 

'^he  assccia-^ion  of  subranaes  of  a  type  with  variables  has  two 
impor-^an'^  benefi*: s  in  PA.SCAL: 

1.  an  implementation  may  use  the  information  about  the 
limi-^ed  range  of  values  that  may  b=  stored  in  a  variable 
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to  economize  on  the  amount  of  storage  allocated  for 
variables . 

2.  ?.rray  bounds  checking,  which  must  usually  be  postponed 
un*’il  execu'^ion  of  the  program,  can  sometimes  be 
performed  during  compilation.  For  example,  given  the 
declaration 

ya  r  i :  1 . .  1  0 ; 

yar  a:  array  1..1CC  of  real; 

we  can  determine  during  compilation  that  if  all 
assignments  attempting  to  replace  i  with  a  value  less 
than  one  or  greater  than  ten  are  trapped  as  errors,  *hen 
all  subscript  references  of  the  form  a[ i  ]  will  be  valid 
and  will  not  r^^guire  a  run-time  check.  And,  if  we 
assume  that  subscript  references  usually  occur  more 
frequently  than  assignments  to  index  variables,  the 
speed  of  execution  can  be  increased  while  still 
providino  a  desir^^d  ’’pro-section”  feature. 


One  of  the  manor  difficulties  with  -^his  use  of  subranges  as  a 
data  -^ype  is  noted  in  THabermann  1973,  Lecarme  and  Desjardins 
i°74].  Subranges  ar“  also  used  to  specify  the  types  of  arrays  by 
givinq  th<^  type  of  ■’■he  leqal  subscript  values, 

1 , .  1 C  of  r ea  1 

and 


array  1,,1C0  of  real 

are  comple-’-ely  distinct  types  in  PASCA.L,  and  there  is  no  way 
within  the  language  ‘o  define  a  type,  "array  of  integer  to  real,” 
such  tha-^  both  of  the  types  defined  above  are  particular 
instances  of  this  more  general  ^ype. 
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This  becomes  a  serious  problem  in  defining  procedures 
oueratir.g  on  arrays.  Since  all  arguments  to  procedures  must  be 
tyned  and  no  general  array  types  exist,  Iz  is  simply  not  possible 
c  'define  a  procedure  which  operates  on  array  arguments  of 
arbitrary  size.  Thus,  for  example,  we  could  not  write  the  simple 
f  unct ion 

iHl^ger  function  Sum(?'-:  array  ????  of  integer,  n:  integer)  ; 
b^gin 

Sum  :  =  0 ; 

for  i:  =  1  to  r.  do  Sum  :=  Sum  +  af  i  ]  cd 

end ; 

“o  sum  -^he  first  n  elements  of  an  arbitrary  array.  Using  the 
semantic  models  of  this  chanter,  we  can  give  a  view  of  range¬ 
checking  which  makes  clear  the  distinction  between  type-checking 
and  range- checkina  and  shows  how  the  difficulty  described  above 
can  be  avoided, 

Th^  specification  of  subranges  for  variables  is  essentially  a 
r'=coqnition  of  the  finiteness  of  the  underlying  store,  something 
which  do“s  not  appear  either  explicitly  or  implicitly  in  the 
semantic  models  presen+ed  thus  far.  In  terms  of  cur  standard 
semantics,  this  assumption  is  of  particular  importance  in  two 
contexts: 

1.  We  assume  tha-*-  arbitrarily  large  values  may  be  stored  in 
<=-ach  location  of  the  store.  In  a  more  detailed  model 
describing  the  semantics  of  our  language  relative  to  an 
abstract  store  which  more  closely  resembles  a  real  "main 
storage  unit,”  would  need  to  allow  different 

locations  to  store  values  of  different  maximum  size. 
■For  example,  in  the  recent  description  of  PL/I  fBekic, 
-^t.  al.  197U1,  it  is  assumed  that  the  abstract  store 
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function  is  "range- preserving, "  i.e,,  each  location  has 
associated  with  it  a  certain  range  of  values  which  it 
may  contain. 

2.  The  functions  used  to  define  both  the  abstract  store 
itself  and  arrays  have  infinite  dcmains  and  co-domains. 
Thus  cur  s+andard  semantics  assumes  an  essentially 
unbounded  number  of  storage  locations  and  arrays  which 
may  grow  to  unbounded  size.  Again,  for  any  real 

implementation  these  are  unrealistic  assumptions,  but 
need  only  be  in*roduced  in  the  model  to  maVe  “:he 
semantics  mere  accurate  with  respect  *c  a  real 

i  mple  m-^nta*  i on  , 

Tc  define  a  standard  seman.'^ics  for  PASCAL  which  accurately 
reflects  PASCA.L  ran.a  =  -checkin.g,  n^ed  only  extend  the  domain  S' 
of  locations  to  include  the  range  associated  with  -he  location, 
i ,  ,  we  have 

S'  =  loc  ->[Pocl  X  Png  x  TVal  +  [  Int  ->  Loc]  +  Udef]] 

X  Val*  X  Val*  s-^ores 

where  Png  is  -^he  domain  of  ranches,  A.  range  can  be  represented  by 

a  value 

? na  =  f  In-^  x  In t  ] 

and  represents  ei-^.her: 

1.  the  minimum  and  maximum  values  associated  wi-h  a  simple 
variable,  or 

2.  -h«=''  minimum  and  maximum  subscript  values  for  an  array 
descriptor . 

finally,  -h=  function  Few  would  have  to  be  changed  tc  be  of  typ'^: 

New:  Fng  ->  [S'  ->  [Loc  x  S']] 
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arid  would  produce  a  new  location  with  the  appropriate  range. 


The  important  point  is  that  this  description  of  range¬ 
checking  in  no  way  changes  •'■he  description  of  type-checking  given 
above,  since  no  modification  has  been  made  to  the  static 
environment  used  to  give  the  semantics  of  type-checking.  Here  we 
have  made  explicit  in  cur  model  the  fact  that  range-checking  is 
inheren"^.ly  a  '’run-time"  activity.  A  smart  compiler  may  make  use 
of  range  information  to  perform  some  tests  earlier  than  necessary 
or  to  trade  some  tests  for  o-'rhers,  but  -^he  distinction  between 
•^he  static  nature  of  typ^^-checking  and  the  dynamic  nature  of 
range-checking  should  not  be  lost.  Thus,  for  purposes  of  type¬ 
checking,  -^he  declara"'' ion s 


sy  1..  10  of  real 


and 


m.  S'  srray  1..10C  of  real 

should  be  regarded  as  i^auivalent,  i.*:^.,  both  are.  declarations  of 

yar  a:  array  I^sl, 

while  their  "run-time"  semantics  (representation  in  the  abstrac 
store)  will  obviously  be  guite  different, 
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Chapter  "7 

Conclusions  and  Directions  for  ‘'^uture  Fesearch 


*7 ,  1  Conclusions 

In  ccnclusicr,  wc  will  r-^turn 
chau-^er,  namely  that  -^he  semanrics 
bes-^  be  qiven  by  complementary 
however,  summarize  •^h'^  results  pres 

Chapter  presen.-^ed  a  compl 

in irion  of  a  larqe  subse*  of  rh<= 
^or=^over,  -^.he  ma-^.hematical  seman 
s*ruc-^.ure  which  was  less  "powerful" 
semantics  and  which  reflected 
axiomatic  sys'^^m.  In  Chapter  f,  we 
definition  was  valid  with  respec 
m  a-^.hema-^ical  definition.  We  als 
in."^  =r pretation  of  Piikstra's  pred 
th-  properties  of  "healthy"  predica 
about  the  qiven  in-^erpr‘=-ta  tion . 
introduced  a  "standard"  mathematica 
the  standard  semantics  of  *.he  P?-SC 
standard  seman-^ics  to  be  equivalen.-^. 
s=v-ral  ex-^ensions  to  th=^  P.PSCP.L  s 
cf  •^h'=ir  effect  on  bo*h  -^he 
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to  the  claim  mane  in  *  he  first 
of  a  proqramming  language  may 
definitions.  w^  must  first, 
ented  in  the  thesis. 

e-^e  mathematical  and  axicma-^ic 
programming  language  PIiSCP.!. 
tics  were  given  using  a  domain 
than  standard  mathema*ical 
he  implicit  assumptions  of  *:he 
proved  that  the  axioma'^ic 
t  to  th'^  model  provided  by  -^he 
o  provided  a  mathematical 
icate  transformers,  and  proved 
te  transformers  as  theorems 
■Finally,  in  Chapter  6  we 
1  model  of  semantics  and  aav<^ 
?L  subset.  !■. f-er  proving  this 
to  the  earlier  semantics, 
ubset  were  censid-^red  in  terms 
mathematical  and  axiomatic 


definitions.  In  particular,  it  was  shown  that  global  variable 
references  within  procedures  and  "escapes"  from  procedures  and 
functions  are  inherently  "complex"  features  requiring  major 
changes  in  bo'^'h  the  mathematical  and  axiomatic  definitions  of 
procedure  declaration  and  call. 

The  guestion  which  remains  to  be  answered  is  how  our  initial 
claim  of  the  usefulness  of  complementary  definitions  is  validated 
by  the  preceding  presentation,  Femember  that,  in  the  •♦^irst  two 
chapters,  we  justified  the  use  of  complementary  definitions  of 
s-^mantics  by  arguina  that: 

1,  definitions  of  a  language  need  to  be  provided  at  several 
levels  of  abstraction  to  provide  suitable  descriptions 
for  the  various  purposes  for  which  semantic  definitions 
are  necessary,  and 

2.  *he  development  of  more  than  one  definition  of  a 
programmina  language  could  point  up  inconsistencies  or 
unnecessary  complexities  in  the  language  design. 

c  appraise  the  validity  of  cur  claims  in  the  light  of  the 
material  presented  in  *h.^  thesis,  we  first  turn  to  the  assertion 
that  -^he  definition  technioues  used  above  are  each  useful  for 
particular  purposes  and  complement  each  other  well. 

The  usefulne^ss  of  axicma-*-ic  defini'^ions  has  beer  well- 
established  in  provino  properties  of  programs.  Proofs  based  on 
axiomatic  definitions  have  been  produced  using  proo f-ge n.era tina 
programs  [Igarishi,  London,  and  Luckham  1973]  and  proof- chec king 
proarams  Tl^uer  1971],  in  addition  to  the  more  mundane  gen<=>ration 
of  proofs  without  compu-^er  assistance  [Hoare  1971b  and  the 
examples  used  in  this  thesis],  Addi-^  ionally ,  propositional 
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d«=f ir.itions  have  been  used  in  a  number  of  texts  to  describe  ways 

"understanding”  prcarams  frijkstra  1971,  Conway  and  Gries 
1  973,  Wirth  19'73b].  The  high  level  of  abstraction  used  in 
axiomatic  definitions  appears  to  be  of  particular  advantage  in 
givina  a  good  intui-'-ion  for  how  -^c  use  -i-he  cons-*-ructs  of  a 
language.  This  seems  particularly  true  for  beginning 

proar ammers,  for  whom  -^he  ma-jcr  difficulty  is  trying  to  find  some 

m=ans  of  translating  a  vague  idea  of  an  algorithm  into  a  working 
program. 

While  -^he  axioma'^ic  defini'^ion  seems  to  provide  a  useful 
means  of  developing  a  "piece-wise"  understanding  of  a  programming 
language,  the  mathematical  approach  to  semantics  seems  to  ai ve  a 
useful  "Global,"  as  well  as  "local,"  description  of  the  semantics 
of  a  language.  This  global  view  comes  from  the  r^^quirement  to 
specify  ccmpletelv  the  syntactic  and  semantic  domains  used  in.  the 
definitions.  The  descr  ip-^  ions  of  the  domain,  structure  of  ^he 

de'l^initfons  of  Chapters  4  and  6  provide  a  simple  and  fairly 

natural  description.  of  "what  the  language  is  all  abou*."  The 
notions  of  environment,  machine  store,  program  and  input 

and  outpu"^  files  are  common  most  programmers  and  provide 

a  way  to  grasp  the  relationships  that  exist  among  the  various 
constructs  in  the  language. 

Moreover,  the  provided  by  the  domain  specification 

sterns  be  an  invaluable  tool  to  language  designers.  In. 

ri973al,  Ten.nent  describes  an  elegan.t  extension  of  OUrST  to 
provide  pattern- ma+ch ina  that  is  strongly  based  on  a  mathematical 
analvsis  of  QUEST  and  SNCE0L4.  In  the  preceding  chapter, 
various  proposed  ‘Extensions  *0  the  PkSC.^.L  subset  were  best 
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explained  in  terms  of  the  changes  made  in  the  models  used  to 
define  -^he  extended  languages,  rather  than  looking  at  the  chances 
necessary  in  the  axiom  system.  Thus,  we  have  a  way  of  describing 
t  h<=  global,  as  well  as  the  local,  effects  of  changes  in  +he 
languace.  This  sor-^  of  Weltanschauung  is  difficult  to  obtain 
using  the  axioma-^ic  approach  because  of  the  way  in  which  the 
"sta-^e”  is  abstracted  from  axiomatic  definitions. 

So  it  seems  that  the  two  approaches  to  semantics  used  in  the 
•^hesis  have  comple m^n-^a ry  strengths  and  weaknesses  when  applied 
to  particular  tasks.  The  final  guestion  is  whether  the  process 
o-^  giving  both  mat  hem  a-*:  ical  and  axiomatic  semantics  of  *he  sam<=^ 
languace  has  provided  any  insights  into  some  of  the  basic 
problems  of  language  design.  Here,  again,  the  evidence  seems  to 
support  th^*  claim. 

Th^  best  example  of  this  can  be  found  in  the  mathematical 
model  used  in  Chapter  ti ,  The  relatively  simple  form  of  the 
axiomatic  definition  suggested  -^ha-*-  a  mathematical  model  simple r 
■^han  the  standard  one  could  be  used  to  give  the  mathematical 
semantics  of  the  P?.SC?I  subset.  However,  as  was  noted  in  Chapter 
6,  *his  simpl<=  model  is  inadeguate  to  define  global  variable 
references  in  procedures,  a  construct  for  which  a  standard  model 
aDp=^ars  to  be  needed.  it  is  interesting  to  note  that  global 
variables  have  become  a  "harmful”  construct  recently  [ Wulf  and 
Shaw  197?  ■),  ioining  the  gc_ic  on  the  list  of  constructs  deemed 
unsuited  *:o  production  of  well-structured  programs,  T^lthough 
"-.he  earlier  arguments  against  the  uses  of  global  variables  were 
based  on  intuitions  about  "readability"  or  " underst andability, " 
we  can  now  show  that  the  definition  of  the  semantics  of 
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procedures  with  global  variables  requires  a  more  powerful  model 
than  that  used  to  give  the  semantics  of  the  PASC^^.L  subset.  This 
view  of  defining  the  complexity  of  a  construct  in  terms  of  the 
complexity  of  •♦■he  model  needed  to  give  its  semantics  may  prove 
useful  in  pinpointing  many  of  the  important  decisions  which  must 
be  made  in  language  design. 

•  2  directions  for  future  research 

The  preceding  comments  on  the  "complexity'^  of  global 
variables  lead  to  one  of  th=  ar^as  of  fu-t-ure  research  suggested 
by  the  thesis.  One  of  the  major  problems  in  designing,  defining, 
or  pr^s'^n •':ing  a  programming  languaoe  in  a  coherent  manner  is 
finding  a  suitable  semantic  model.  As  we  have  seen  in  Chap-^er  6, 
this  ohoice  of  an  appropriate  model  has  some  subtle 
ramifications,  in  that  the  model  chosen  may  be  too  powerful  or 
not  powerful  enough  for  the  language  at  hand.  Thus,  -^wo 
important  guestions  deserving  future  research  are: 

1,  Wha-^-  are  an  appropriate  set  of  models  to  use  to  give  *he 
mathematical  semantics  of  most  programming  languages?  A 
variety  of  models  have  appeared  in  the  literature  (e.g., 
fHilne  1974,  Tennen"^.  1973b,  Donahue  1794b]),  but  each 
model  has  essentially  been  applied  only  to  a  particular 
language  for  a  particular  purpose.  The  systematic  study 
of  the  general  utility  of  these  various  models  r^^mains 
•♦■0  be  done. 

2.  What  are  th^  constructs  in  a  language  that  reguire  more 
powerful  models?  It  seems  possible  to  build  up  a  notion 
of  the  "level  of  complexity"  of  a  language  in  terms  of 


-199- 


its  undsrlyir.g  semantic  model.  Perhaps  if  languages 
were  designed  in  term^  of  what  can  be  defined  at  the 
level  chosen  by  the  designer  as  appropriate,  then  they 
miah*  exhibit  a  coherence  and  uniformity  of  outlook  that 
seem  lacking  in  most  languages  in  curren'*'  use. 

In  addition  to  this  broad  area  of  future  research  suggested 
by  our  mathematical  definitions,  two  areas  worthy  of  fu ture 
research  are  suggested  bv  the  axiomatic  definition  of  the  PASCAL 
subse-*-.  Both  are  concerned  with  the  form  of  the  assertion 
languaae  used.  The  first  involves  the  treatment  of  quantifiers 
in  assertions.  In  our  assertion  language,  only  bounded 
quan-^  i  f  ica  tion  is  allowed.  Although  this  restriction  is 
sufficient  to  give  the  PASCAL  subset  semantics  and  to  make  the 
asser“iors  continuous  predicates,  it  seems  that  a  more 
aesthetically  pleasing  and  mathematically  elegant  treatment  of 
quantification  could  be  given.  Such  a  treatment  would  allow 
unbounded  quantification  in  some  restricted  form  while  still 
preserving  the  continuity  of  the  predicates.  How  to  do  this 
seems  to  be  an  interesting  theoretical  question  worthy  of  future 
examination. 

The  second  question  regarding  assertions  is  cf  a  mors 
practical  nature.  It  has  been  suggested  by  Jones  [1973]  that  the 
axiomatic  approach  be  extended  -^c  allow  post-assertions  to  refer 
to  the  values  cf  variables  both  after  execution  of  a  statement 
and  prior  to  execution  of  a  statement.  This  could  be 
accomplished  by  some  notation  within  axiomatic  formulas  +o  allow 
subsidiary  def ini-^ ions ,  for  example,  we  could  define  formulas  of 
'he  -Perm 
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{P}  ^  {Q}  where  x  =  e 

•^.o  be  defined  as  in  Chapter  4,  except  that  all  free  occurrences 
of  X  within  0  would  be  understood  to  refer  to  the  initial  value 
of  the  expression  e. 

This  approach  to  assertions  seems  to  have  some  advantages  in 
giving  definitions  worth  fur*her  examination.  As  an  example,  we 
note  that  the  procedure  call  rule  seems  to  be  amenable  to  some 
simplification  using  this  technique.  Remember  that  the  rule  of 
inference  for  procedur<=  calls  given  in  Chapter  4  was 

{P}  p(x:y)  {?} 

fP<a/x,  e/y>}  p(a:e)  {P<a/x,  e/y>} 

where  all  of  the  identifiers  is  a  are  distinct  and  none 
of  the  identifiers  in  a  appear  in  e. 

Using  the  notation  described  above,  this  rule  can  be  given  as 
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were  still  developed  in  a  fairly  ad  hoc  fashion.  Given  the  work 
in  the  development  of  logical  systems  like  LCF  for  fixed  point 
definition  techniques,  the  obvious  question  is  whether  these 
proofs  could  be  produced  with  the  aid  of  a  computer.  This  seems 
zo  be  a  question  of  both  practical  and  theoretical  importance. 
As  was  noted  in  Chapter  5,  one  of  the  major  problems  faced  in 
completing  the  proofs  was  simply  -^he  size  of  the  programming 
language  tha-^  had  been  defined.  Yet  the  PASCAL  subset  is  still 
not  as  rich  as  Algol  6C,  full  PASCAL,  or  PL/I  in  terms  of  the 
number  of  constructs  provided.  This  strongly  suagests  that  if  we 
'Eventually  wish  to  define  "real"  programming  lanauages  using  the 
fEchnicfues  of  complementary  definitions,  then  some  mechanical 
assistance  will  be  necessary.  Otherwise,  in  a  field  which 
changes  as  rapidly  as  prooramming  languages,  the  language  will  be 
obsolete  before  -^he  designer  has  been  able  to  check  that  the 
definitions  are  correc-^. 
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